Sunday, June 7, 2015

Identity Theft and the Digital World..


Ones identity is something we take for granted (after all it is you), and expect the various organisation, including governments we deal with to protect our identity. Yet these same organisation are at the heart of the identity theft problem.

“Digital identity“ is the sum of all digitally available information about an individual. It is becoming increasingly complete and traceable, driven by the exponential growth of available data and the big data capabilities to process it. The issue addressed within this article is the ability to link both the Digital and physical worlds, and how a compromise within the digital world can affect the physical identity, i.e Identity Left..

The data elements which underpin, most widely used "personal" identifying data, are birth dates, names and addressees, and drivers licence numbers. The aggregation of this data, under pins our "identity", with regard to many Digital Transactions. Many organisations routinely collect this information, some like banks, use birth date continuously, even when precluded by the Privacy Act.
Today the collection of personal identifying data, has become epidemic, and grows each and every day, routinely night clubs, and hotels (with zero security protection, or regulations in place), photo copy an individuals drivers licence.  Banks photo copy drivers licences, birth certificates, even though not required under any legislation. With a drivers licence, a birth date and data readily available from a postbox or even available online, almost anyone can open a bank account online as "you" today.

Once your Identity is lost, it can become impossible to participate within today's digital and physical world, many have taken years to address their Identity after being stolen, properties have been sold from under owners.

In most of these cases, and almost all commercial transactions, within the digital world we all live in "Identity" is actually not required, what is required is positive "authentication".

A typical example is buying and selling or commerce, for most of history, this has been done via stored value tokens, or "money". Coins or notes issued by national banks have zero linkage to any Individual, they simply circulate within the community and are exchanged for goods or services.

The majority of commercial contracts are finalised with a "Signature" which also has zero identity requirements, the thrust of a signature is to support non-repudiation.


Enter The Digital World..
In this world everything changed, all of the previous 1000+ of years of  commerce was thrown away..
All of a sudden (in relative time), there was introduced the need to "Identify", primary due to an Orwellian need by governments and organisations to track various "individuals and their activities in the digital world, the infamous "Australia Card" was perhaps the best example, yet while rejected by the population, has been introduced via TFN's and drivers licences, and data aggregation, without the individuals informed consent.

Putting aside these "political" issues, and looking at the real risks associated with the wide ranging collection, centralized storage and sharing  of "identity" information, without even the most basic security.

There is simply no reasons for any individual to provide anyone with their birth date, ever, unless one wants to celebrate such an event.
If a bank wants to verify a client, then they need to preferably allow the client to provide an authentication "token" or they should provide one to the customer, in no case should a personally and irrevocable birth date be used, its simple... one cannot change ones birth date if the usage is compromised.

The key to securing any Identity, is the removal of the need for any "centralized solution, and to ensure the control of any "identity" remains solely with the Individual.

The solution to Identity Theft, is not complicated,
STOP:
  • Collecting personal identifying data which is not required to perform the immediate activity, by the requesting entity.
  • Storing any personal identifying data in any centralized system.
  • Sharing or accessing any personal data without the explicit approval, on a per request basis by the Individual
  • Storing aggregated personal identifying data in any System 
  • Sharing personal data, outside of the initial receiving entity and system
  • Routinely requiring personal identifying data as apart of an authentication process.
In order to prevent Identity theft, in all cases the Customer should be able to provide the "authentication token" to be used by any organisation when requesting authentication. This is very basic security and privacy requirement, and a part of the digital world today.

Authentication in the Digital World.
The most common form of authentication in usage today is the "user name" "password" duple.
The username is not required to identify the user, but rather to be used as a "synonym" and the shared secret is the "password".

The fundamental security flaw with this scheme, is the need to have a "shared" secret the password. if the "secret" is not keep secret or managed correctly then the authentication scheme will fail, read can be compromised. A credit card is a simple variant, i,e a CC number is the synonym and the Pin is the shared secret. there is nothing secret about the CC number.

A digital Solution for the Digital World..
As Identity theft is a by product of the increasing use of the digital world, then the same digital world needs to provide a solution.

The fully decentralized, anonymous, secure identity.
Enter the Secure Identity Number(SIN), this is a totally digital identity that may be securely used for any type of transaction within the digital world, including replacement of the traditional username/password.
A SIN(s) is the unique record identifier by which this identity will be known, the key concepts are:
  • there is no centralized infrastructure or entity required
  • the secure identity is under the total control of the Individual
  • can securely support the full range of Identity and authentication requirements

Attributes:
  • Ownership can be digitally proven with high assurance, and possible non-repudiation
  • Disposable
  • Optionally attach sequence of key-value pairs (public proof) and hashes (private proof) to your SIN record. 
  • Start out as anonymous identity, and as required, support opt out of anonymity on a per SIN basis, by attaching identifying key-value pairs (real.name = "John Smith").
  • All key-value pair updates digitally signed by SIN owner (private key holder)
  • Third parties may offer digital attestations:
    • Identity Verification, Inc. digitally signs a SIN as passing their 100 points check.
    • Auction Provider, digitally signs a SIN as having a certain reputation score, on their website.
    • Decentralized market users, digitally sign one another's SINs, building a decentralized reputation, social media.
Within the Cognition Public Block Chain Ledger, these signed  "attributes" are stored within industry standard DNS "TXT" records for the entity identified by the SIN. This is just one of the many possible options for securely linking and distributing public attributes to the World.

The technical bits
The solution makes use of existing global software and infrastructure, a simple add-on..
SIN, is a new form of identity based on a cryptographic key pair. SINs were originally proposed by Bitcoin Core Developer Jeff Garzik,

The SIN is analogous to a Bitcoin address, as it takes the following form:
base16WithCheckSum( 0x01 + 0x02 + ripemd160( sha256(k1) )
Where k1 is your public key from an ECDSA keypair. 0x0F is the special byte for SINs, and 0x02 is the type of SIN; in this case, an ephemeral or standalone identity.

This SIN can be shared openly with the world, as the corresponding private key is kept on the client-side and never transmitted over the wire, and never shared with any entity.

How does Secure Identity Number(SIN)  based  authentication work?
The general flow to authenticate a request is as follows.
  • Key generation: Individual generates a key pair k using ECDSA (use a free ECDSA key chain service).
  • SIN construction: with public key k1, concatenate the SIN version byte and hashed public key, then encode this in the base16WithCheckSum format.
  • SIN sharing: register your SIN with the remote service using a mechanism of your choosing generally, this takes place with client registration.
  • Submitting Requests: requests are made over light weight HTTP/JSON, with the x-signature and x-identity header:
    • generate a unique, higher-than-previous nonce, we recommend using a "unix time" integer, and include in as the  nonce HTTP parameter of your request
    • include your compressed bitcoin public key (hex encoded string)  in the  x-identity header 
    • if JSON body is included, set content type to  "application/json"
    • concatenate and sign base URL + URI + JSON with your private key, and provide the resulting bitcoin message signature as a hex encoded string in x-signature
  • Receiving System: will validate request using x-signature and x-identity header:
    • check x-identity against stored SIN
    • use x-identity header and posted data to validate x-signature
    • optionally check any attributes linked to the registered SIN.

The server will now verify the signature against the public key you've provided and the SIN you've shared previously (does not need to be a secret), confirm that the signed nonce is greater than this SIN’s previous nonces (preventing replay attacks), and subsequently authenticate the request.

Replacing Usernames and Passwords
The authentication scheme is directly compatible with the familiar username (or email) and password mechanic. The primary difference is that the password is never sent over the wire, in any format.
Using this mechanism, you can still provide the user with the experience of entering a username and a password, but locally use that password to decrypt the private key and subsequently use it to sign the request.

Advantages over existing authentication mechanisms
Gone are the days when a single hacker, can compromise an entire customer base's credentials, the removal of all shared secrets, is the key to improving on-line security. In the above, passwords are only used locally, to encrypt the private key.
  • Support for per transaction (ephemeral)  as well as persistent SIN's to manage scope of any compromise. 
  • Only a compromise of the client machine can endanger the system, and hardware backed ECDSA keys can readly address this possibility.
  • Because the private key is never revealed to the server, it does not need to be exchanged between the server and client over a side channel, there is No Shared Secret to compromise.
  • Piggy backs on the global, and freely available Bitcoin protocol infrastructure, no central PKI is required.
  • Decoupled from Bitcoin addresses, allowing for a more explicit separation from financial transactions and allowing for greater privacy, also allows support for algorithm agile solutions
  • Support for persistent, and ephemeral SIN's to manage compromise
  • Identity becomes portable the same identity can be used on multiple services, letting you take your identity with you.
It's time, for Individuals to take control over their digital Identity and how or when their data is used and stored.

What if I need to prove my identity?
Within a community, there are situation where is is required provide an assurance of "identity", a simple fact of living in a community.
The SIN framework has been designed to allow an opt in to a "set of signed attributes" on a per SIN basis and still under the total control of the individual.

Why should Corporations and Governments world wide, care about personal data?
BCG estimates that two-thirds of the potential digital identity value – or about €440 billion in 2020
alone – is at risk if stakeholders fail to protect personal data.
Nor is it digital identity value alone, the additional revenues or efficiency gains derived from personal data applications are at risk: Mishaps in handling consumers‘ data can go much further, causing damage to an organisation‘s brand, its client relationships and its reputation. Privacy is increasingly becoming an area of competitive differentiation.

Usage today
All Subscribers to VillageMall have a hardware generated and secured ECDSA key, and type 1 SIN incorporated, for free, with their subscription.
The worlds first Global Digital Identity Service with SIN attributes is now operational, and publicly available (see DNS domain blockchainledger.net)
The first usage is to secure our Cognition API, including BYOD management system, used to manage lost, stolen or compromised Mobile Devices and access to Cognition Suite of Services.  

References:
1. Data from fraud prevention service Cifas shows ​​34,151 confirmed instances of identity fraud were recorded in the first quarter of ​2015​.
2. Prevent identity theft 
3. Number of identity theft victims 'rises by a third'

Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Monday, June 1, 2015

Triple Entry Accounting, and Secure Block Chain Ledgers..


The magic in this space is what we sometimes hear called triple entry, which is highlighted by the bitcoin block chain’s success in mounting an independent currency over a shared ledger.

We all know how insubstantial internal ledger entries are, and how we can really only rely on them to the extent that we trust our internal processes (e.g. who can forget the Enron events of 2007 leading to a popular view that accounting and audit have failed us).

On the other hand, we also see how solid payment systems are. Whether bank- or Government- or private-run, payments generally work. When these multi-party activities do not work, all hell breaks loose, and people run, sometimes quite literally, to other systems.

When accounting ledgers break, we sigh and move on. Triple entry, via Block Chain Ledgers takes us from the unreliable fantasy of the accounting entry to the hard concrete reality of the payment: the secure distributed Block Chain Ledger is as solid as a bitcoin payment.

Quite simply, the basics of accounting have not changed for hundreds of years.
Today, the many well known issues are trying to be addressed by formulating new rules, employing more auditors and investing in more IT infrastructure. This is the wrong approach.

I believe most of the above are solvable by doing four things;
  1. Make accounting of a business activity an integral part of that activity. Instead of treating it as a separate process. What if the invoice was the journal?
  2. Sharing data between entities. Any business transaction involves an agreement of value by one or more parties. Privacy is not a problem as all parties should be recording the same data.
  3. Using cloud accounting ledgers. Enterprises maintain simple private ledgers. Cloud APIs allow for easy integration and the development of APPS.
  4. Securing each ledger, with private block chains, brings existing accounting systems into today's digital world, without throwing away everything ( like bitcoin has done).
Bitcoin achieves the first two things for cash payments. By creating and signing a Bitcoin transaction, one generates a proof (which is consensus verified) that the transaction happened and they had the rights & obligations to the unspent transaction outputs referenced in the transaction.

This doesn't mean that bitcoin should replace double entry,rather it augments the traditional accounting system ledger by providing a way for parties to share certain transactions as if they were as solid as payments.

E.g., when Alice Ltd wants to pay Bob Ltd, Alice will no longer rely on its accounting systems alone to describe this situation, and neither will Bob. Both of these parties will share a “receipt” that is cryptographically signed by some party that has mediated it (could be an existing bank such as ANZ, the Reserve Bank of Australia, or it could be VillageMall).


Triple entry accounting is very simple, as shown above, there are three parties, each holding a copy of the same receipt, hence the label "triple entry". In the Bitcoin world, that middle inter-mediator is the bitcoin block chain and the two other parties are the Wallets.

The receipt or public book above, itself is strong because it is cryptographically authorised by the payer, and cryptographically signed off by the mediator (as a minimum). It represents such solid evidence that it is practically irrefutable in terms of the facts on record, and it is trivially automated in audit terms.

Holding this entry is far more flexible than Alice and Bob relying  solely on their double entry systems because firstly you can build the double entry systems out of the collection of receipts any time you need them, and secondly, it is so strong that it can be used as evidence to create derivative claims. E.g. it’s a set-up for securitisation or loaning contracts or other more advanced uses. And, it’s a lot easier to audit because it is such solid evidence.

Back to bitcoin and its block chain. This is the first social experiment in a large scale triple entry issuance. In part, seeing what happens on the block chain generates excitement because we perceive an ability for any company to turn its stalled internal assets into contracts that are then dynamically mediated through cryptographic receipts.

Once one can issue all the accounted assets into a triple entry arrangement that others will instantly respect, finance will democratise.

Savings for every Accounting Ledger
According to Santander (2015), "distributed ledger technology could reduce the banks' infrastructure costs attributable to cross-boarder payments, securities trading and regulatory compliance by between $15-20 billion per annum by 2022".

So where are we at today?
With the release in 2004 of commercial Block Chain Ledgers the double entry accounting of each party Alice and Bob can now be secured, and audited via their individual "Private" Block Chain Ledgers. With the introduction of a intermediary or Public Block Chain Ledger (public ledger above), and communications based upon existing bitcoin block chain protocols, today we have a full implementation of a commercial "triple entry accounting".

Where each end accounting system and the intermediary public block chain provide a "secure"  distributed triple entry ledger.

This concept can be expanded, Bob above can maintain a local ledger containing all its adjustments, however it can also maintain a distributed ledger which contain details of all transaction or contracts. As the distributed ledger is agreed upon by all participants and there are digital signatures to provide a degree of non-reputability, Auditors can rely on this ledger. The auditors job starts getting easier, finally the digital world helps to secure old world double entry systems.

Worked Purchase Contract Example:
1. Alice -> Purchase Widget from ->Bob.
2. Bob  ->Ships Widget and Invoice -> Alice
3. Bob -> Posts journal  DR Account Receivable, CR Income to Private BCL
4. Posts Transaction, with unique TxnId to Public Block Chain Ledger(PBCL)
5. Alice-> Posts Transaction DR Expenses, CR Accounts Payable to Private BCL
6. Post transaction with same TxnId to Public Block Chain Ledger(PBCL)
7. PBCL-> combines messages 4, and 6 along with their signatures (Contract)
8. PBCL-> countersigns and timestamps the combined message 7, along with transactions (i.e DRs and CRs)  and posts to the PBCL.

Worked Payment Contract Example:
1. Alice -> Pays ->Bob.
2. Alice-> Posts Transaction CR Bank, DR Accounts Payable to Private BCL
3. Posts Transaction, with unique TxnId to Public Block Chain Ledger(PBCL)
4. Bob->Receives Payment->From Alice
5. Posts journal  CR Account Receivable, DR Bank to Private BCL
6. Posts Transaction, with unique TxnId to Public Block Chain Ledger(PBCL)
7. PBCL-> combines messages 3, and 6 along with their signatures (Contract)
8. PBCL-> countersigns and timestamps the combined message 7, along with transactions (i.e DRs and CRs)  and posts to the PBCL.

I believe that while the above could represent a practical Public Block Chain Ledger,  the commercial reality is likely to drive a range of specialist PBCL, i.e. each focused on a specific use case. Collectively these will form the globally decentralised Public Block Chain Ledger.  Each segment of the PBCL is navigated using Internet DNS entries, within the domain blockchainledger.net. An example of a reference specialist "payments" PBCL is provided at the end of this article.

In the case where a bank is offering the PBCL the changes to the above example are trivial. The point is all types of interactions P2P or traditional intermediary are supported. In the case of a bank intermediary, the Public Block Chain Ledger for each entity would simply be their "Bank Statement". The unique aspect of an architecture with both private and public Block Chain Ledgers, is that the distributed PBCL supports all "between" entity transactions, and hence the concept of "gateways" as used in almost all crypto-currencies is not required. With the PBCL and P2P transactions there is no settlement or clearing delays, as all entries are atomic and instantaneous. In the case of no intermediary there are some addition joint signatures required to secure the transaction, over the intermediary signature used, but all standard crystallographic techniques.

The fully distributed Global Public Block Chain Ledger is the record of truth, and available to all, the atomic nature of all Block Chain Ledger transaction, allow instantaneous transfers to occur.

In fact when the PBCL is applied to P2P payments, we do not see why all payments should not be free, as our analysis shows the incremental cost is close to zero, and each Private Block Chain Ledger can easily support its part of the decentraliced PBCL. The same could be applied to all commercial transactions which are capable of being processed though an accounting system,virtually everything.

An enhancement within the Block Chain Ledger over bitcoin, allows each and every block to have a unique private ECDSA key and the digital time-stamped signature, is applied atomically to each transaction block, This enhancement allows instantaneous sealing of each block and all transactions in time, plus traditional bitcoin identification of each block (address) and hence the ability to instantly post to the PBCL, this also supports detection of duplicate transactions, as the private Block Chain Ledgers cannot be changed or altered in any way by either Alice or Bob, the PBCL can request the parts of the block chain necessary to validate each Private Block Chain Ledger before signing the triple entry.

The public block chain ledger provides a real-time, atomic transaction, and reporting system.
The atomic transaction is completed once the PBCL entry in 8 above is posted to the PBCL, each party Alice and Bob and anyone else can verify the "Contract" or transaction, with a deterministic level of non repudiation.

An auditor can request all transaction data, and if required can counter sign, a Block within the PBCL and hence bind parts of both Alice and Bob's private Block Chain Ledger and also the PBCL in time (see BlockAuth detached time-stamp signature specification).

The point is that if one is inherently happy about Transactions then the accounting and audit process becomes much more simple; no need for reconciliation's or for an auditor to mess about with 3rd party confirmations (which are almost never returned!). An auditor can also gain 100% assurance into existence and completeness of transactions with counter-parties – this is the holy grail of audit.

As mentioned in the above comment, this is super useful, not only for audit. Due diligence, tax reporting, generating data for financial reporting also benefit, in fact almost everything benefits form this approach.

Bitcoin already contains a set of protocols which will allow interaction between each Private Block Chains and the Public Block Chain, with minor tweaks, this existing code and network, allows a kick start to a more commercial set of Block Chain Applications, that in most part have nothing do with digital money. Additionally as the Block Chain Ledger is based on traditional double entry accounting systems a mixture of P2P and more traditional Public Block Chains can be utilised. As above the Reserve Bank could run an inter banking Block Chain Ledger, that has all of the existing frameworks, but in this case actually secure and suitable for the modern "digital" world we all work in.


Welcome to the Internet of Value.
The intermediary Block Chain Ledger is in fact "signing off" or witnessing, both sides of the block chain ledgers transaction, this is in fact the "Contract" process, the ledger Transactions could be stock trading, property sales, or in fact anything that can be processed though a standard double entry accounting system.

The Internet of Value’s ubiquitous, seamless, comprehensive and secure method of transferring value allows for the distribution of value in all sorts of novel ways.

Some obvious use cases:
  • syndicated loans
  • trade finance
  • supply chain provenance
  • asset provenance
  • clearing/settling
  • cross boarder payments
  • inter-bank payments
  • identity/data authentication
  • private stock/equity issuance
  • contracts 
  • global P2P payments

Implementation example.
Theory, is fine, but one also needs concrete commercial examples, one such implementation is The Cognition Cloud Accounting Engine, which due to the design, as a modern Cloud based double entry Accounting Engine; which is required to process high volumes of transactions, the internal design is consistent with the design requirements of a Private Block Chain Ledger, in fact each cognition ledger has a fully integrated Block Chain today, using existing bitcoin technologies.
The BlockAuth Detached, Time Stamped, Signature , has already been implemented in commercial Private Block Chain Ledgers, such superannuation funds in 2015.

The building blocks are here today, allowing companies to run their own secure private block chain ledgers, and also allow future integration with a public Block Chain Ledgers.

Reference Implementation
In the reference implementation, using a commercial hash keyed database, ~10,000 blocks per second could be processed. This is for each of the distributed Public Block Chain Ledger(PBCL) node within the PBCL's. Hence the total processing of the PBCL is practically unlimited. The reference implementation supported ~ 5,000 read operations, this asymmetry is typical of commercial databases.  This performance is relatively independent of the number of transactions in the distributed PBCL

Performance Comparison:
·         Bitcoin 7 tps
·         PayPal 115 tps
·         PBCL 10,000 tps for each BPCL node, unlimited across the global PBCL
·         Visa network 56,000 tps

Storage Comparison
·         Bitcoin, at very high transaction rates each block can be over half a gigabyte in size
·         PBCL typically less than 10 KB per transaction

Update 2016.
We have released the first Block Chain Ledger Payments Rail, which implements "tripple entry" accounting as described in this article. In addition the worlds first Bank International Settlements defined DvP Model 1, atomic cross ledger settlement..
See The Holy Grail of Settlements

Details:
The Global Block Chain Payment Rail
The Global Block Chain Securities Settlement Rail

Also see
1. Free hardware generated and protected Bitcoin Private key and key-chain.
2. Identity Theft and the Digital World..
3. Navigating the Public Block Chain Ledger

Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Thursday, May 21, 2015

Free hardware generated and protected Bitcoin/BlockAuth ECDSA Private keys.

Available to all Subscribers, a free hardware generated, and protected Bitcoin and BlockAuth ECDSA private key.
From 1st July 2015, all current and future Subscribers will have a free ECDSA private key, generated within, and protected by our Cloud based Hardware security Module (HSM).

We offer this service to enhance the security of Bitcoin private keys, and to expand the usage of ECDSA signatures within a wider range of electronic commerce operations. Physical signatures are free today, why not Digital Signatures.

The history of cryptography shows us that good cryptography has been repeatedly defeated not because of bad math, but because of bad implementations of good math.

A paper was published by researchers from Australia and the UK describing an attack on OpenSSL’s implementation of ECDSA for curve secp256k1 (the one used by the Bitcoin protocol). The danger of key leakage via poor random data or side channel attacks is a concern, but is manageable with proper implementations. We believe hardware is necessary for the small number of security critical functions, and by making a hardware based solutions Free, there is simply no basis to continue to have these security issues within any FinTech application.

If you think these types of exploits are esoteric (and in reality many are), and nothing could happen to you, consider "There are nearly 150 Breeds Of Bitcoin-Stealing Malware In The Wild, ?, Researchers Say". If your "Wallet file" is encrypted and held to ransom, all of your bitcoins are effectively gone, there is no-one to turn to.

The recent introduction of  Bitcoin Hierarchical Deterministic (HD) Wallets or Extended Private and Public Keys, has introduced additional side channel attack vectors, plus allowed a single seed compromise to provide access to all private keys.

All ECDSA keys provided are unique hardware generated and protected, there is no known relationship, or side channel leaks between any two ECDSA keys within the system, additionally the key generation process does not expose any private keys based upon the knowledge of any Public key, a vulnerability in some bitcoin HD key chains.

We hope the introduction of Free hardware protected ECDSA keys, will contribute to improve security for Bitcoin and all ECDSA Signatures across current and future ECDSA and ECDH based applications. Additionally we plan to offer, mature implementations of core cryptographic support functions via our REST/JASON API, available to any VAR. Why would developers want to keep implementing the basic functions over and over again, when these are available. allowing developers to concentrate on the business side of typical FinTech applications.

Initial usage will include Signing of all documents within Accountants Web Office(AWO)  tax returns, tax declarations and almost any electronic media stored within the AWO suite of services.
Additionally the service supports a private key chain, which can generate an unlimited number of single use ECDSA public keys ( bitcoin like payment keys), within the Cognition Public Block Chain, or  any future public Block Chain supported FinTech applications.
The Cognition API also offers secure framework agnostic, enterprise BYOD device management.

Securing each subscribers ECDSA key material via hardware, is essential to the future of all electronic commerce applications, especially FinTech applications.

From the 1st July 2015, the introduction of freely available secure EDCSA private keys, to all VillageMall Subscribers, removes one of the last barriers to adoption of secure FinTech applications. Optional multi-factor authentication of every "affixed" signature, takes FinTech applications to the next security level.

Hardware based security, under pins our range of secure business, accounting and FinTech applications,offered via VAR's, including our Private and Public Block Chain Ledgers. All available via an open Cognition REST/JSON API, access is freely available to all Cognition VAR's and their clients.

Features:

  • Free, included with each VillageMall Subscription
  • Includes persistent (Type 0x01),  Block Chain Ledger, Secure Identification Number (SIN) 
  • Hardware (Cloud HSM) internally generated, and protected key material
  • Unlimited single use bitcoin private ECDSA keys, stored and accessible, via Key Chain.
  • Key Chain, can be bound to Mobile device(s), and accessible via API
  • Supports bitcoin DER and Recoverable Signature Generation and Verification via API.
  • Key Chain helps prevent loss of Bitcoins when Mobile device is lost, stolen or compromised (ransom ware) 
  • Optional Multi Factor Authentication (HOTP) for signatures (i.e human authentication)
  • Ephemeral ECDSA Private key, no long term private key storage, reduces risk of key compromise, with static ECDSA Public key and Bitcoin Address
  • Private keys secured to reduce possibility of private key access, or loss, critical when used with bitcoin.
  • Exploits global bitcoin infrastructure, for non bitcoin applications such as Public Block Chain Ledgers
  • Support Bitcoin Transaction (DER) signature, Message signature, getPublicKey() methods via API, only available to VAR's
Elliptic curve cryptography is a powerful technology that can enable faster and more secure cryptography across the Internet, without the need for any PKI or complex identification processes. The time has come for ECDSA to be widely deployed. We are taking the first steps towards that goal by enabling customers to use hardware secured ECDSA keys within any FinTech application..

The next generation of secure applications are available today.

Check out our next generation Public Block Chain Ledger(PBCL) for Accounting, Superannuation, Portfolio and other FinTech applications, for an insight on the future of Block Chain Ledgers (BCL) and Trust see Accountants, FinTech and bitcoin BlockChain  or the underlying  Triple Entry Accounting and Block Chain Ledgers, plus BlockAuth  the new decentralised authentication for FinTech and the Internet.


Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Wednesday, May 20, 2015

Cognition-> Public Block Chain Ledger for Accounting, SMSF, and Portfolio processing.


Bitcoin is probably the most well known public block chain implementation.
In the first Quarter of 2015, we introduced the first secure, private Block Chain Ledger, as part of the Cognition Cloud Accounting Engine solution.

This private Ledger Block Chain differed from the bitcoin implementation in several ways:

  • The clock chain is a secure by mature, hardware based cryptography, capable of third party ITSEC evaluation
  • The block chain is fully distributed (bitcoin is a centalised block chain), and bound to a single ledger
  • The Cognition block chain, due to its decentralized architecture, can scale to billions of transactions without any performance derogation, or massive size.
Within the commercial world, not all ledgers, need or want to be public, the dual threaded distributed block chains allows a commercial decision to be made regarding exposure to the public block chain.
As an example a Broker may only expose trade related transactions, which keeping internal settlement private, this allows full disclosure of all trading which may be the objective of the public  block chain.

Like wise there is a commercial need to support a bitcoin like "public" block chain for a number of FinTech applications. In order to meet these requirement, we plan a 3rd Qtr release of a Public Block Chain ledger as follows:
  • Be a bitcoin like block chain ledger
  • Map any private block chain Ledger, into a bitcoin like seamless public block chain.
  • Map secure private block chain ledger onto the ECDSA bitcoin implementation
  • Support ephemeral ECDSA private key in public block chain, to reduce bitcoin like vulerabilities
  • Map the private block chain Ledger onto a number of ECDSA related BIPS, including support for bitcoin like address, multiple public keys,  derived public key from signatures. 
  • There is no need for any mining, consensus or linkage to money printing, this is a commercial Ledger.
  • A DNS like global Block Chain, ledger navigation.
  • All access via a secure REST/JASON API.
  • Platform and OS agnostic.
  • Explict permission required to publish as a "Public Block Chain"

The duel thread, private/public block chain ledger is designed to allow a wide range of commercial application to be supported by Public Bock Chain Ledgers (PBCL).

We plain on releasing the specifications for the decentralized Public Block Chain Ledger (PBCL) into the public domain, on or around the first release.

 The Public Block Chain Ledger is derived from a full featured, commercial Cognition Cloud Accounting Engine, and provides full featured reporting and compliance processing, with integrated Accountant back office Virtual CFO support.

Initial Block Chain support is proposed for the following:

  • Self Managed Superannuation Funds (SMSF)
  • Broker Portfolio Solution (BPS)
  • General purpose Cognition Accounting.

The next generation FinTech accounting Bock Chain Ledger engine is available today to any VAR, and as a Public Block Chain Ledger from 3rd Quarter 2015..

Contact VillageMall for details or to be involved in the early trials.

Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Monday, May 18, 2015

Accountants, FinTech and bitcoin BlockChain


There is a lot of hype, about Bitcoin block chains (especially in the FinTech market), and bitcoin like digital automation replacing accountants, at the moment..

Bitcoin was designed to substitute technology for trust. "What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party" Nakamoto wrote in the original Bitcoin white paper.

A fair bit of BitCoin is the normal "marketing hype", generated by geeks, start ups seeking to raise capital based upon a little know set of crypto, and a promise of something unique and new, or people simply wanting to print money themselves.

Bitcoin like most technologies has a number of advantages and disadvantages, i.e it "cut the suit" to meet a specific purpose, From a technical crypto perspective, bitcoin has some very cool aspects in their various protocols, especially the ECDSA signature usage, which is quite innovative.

Bit of history on digital currencies..
From a security perspective Bitcoin is light years behind technologies which predate it by at least a decade, one such example is Mondex, The lack of any mandatory security within Bitcoin is one of  several reasons exchanges and personal wallets have been relatively easy compromised, and millions perhaps billions of value lost; no one actually knows?

I personally had a play (it was just technology, back in the early days) and left the resultant  mined bitcoins on a hard disc, which has been lost many moons ago, I am sure I was not alone in doing this. Who knew people, would actually trade real value, for a signed blob of bits that simply resulted from generating a hash, all with zero intrinsic value, there is no gold here, its just a bag of bits?

Unlike Mondex, which was independently evaluated and achieved ITSEC level E6 accreditation, there is nothing to justify any claim of security within the various implementations of the bitcoin protocols or even the bitcoin chainblock, it is crypto driven by individuals and groups which want to play in the money printing business.

There is a mantra in the security world "hardware, hardware and then some more hardware"..
No independent security evaluation, no provable security, think snake oil?
One simply cannot make any software only solution, secure, its this basic..

So why did the likes of Mondex simply vanish, and bitcoin seem to f lowish?
Some reasons are related to simple economics, bitcoin allows miners to make money from basically nothing, the whole work factor stuff and consensus is a bit of a security con, more closely related to "junk bonds" than anything else. There are a lot of people who can simply print money; if bitcoin is successful i.e if  BitCoin is accepted as exchange fir items of real value.
Miming and consensus are all about printing money, nothing more..

If one compares Mondex and Bitcoin one sees nothing functionally new or different in bitcoin over Mondex; both support anonymous transactions, both make intensive use of Crypto. Mondex does not need a 20MB blockchain, and growing by the minute, to secure every transaction.  Mondex was a truly decentralized transaction solution (no blockchain), there was no real central control or processing, there was control over money supply, which only effectively exists when bitcoin is transferred to Fiat currencies. This is perhaps one reason why is believed ~80% of the original mined bitcoins have not been spent, they need to move out of the junk bond model, before redeeming the bag of bits. The fundamental difference is that Mondex was "actually secure", also very simple to explain. While the crypto underpinning bitcoin is quite simple, the way this crypto is sold, is close to snake oil.. As a simple example the selected  ECDSA algorithm, is still immature technology compared to what was used in Mondex.

So why did Bitcoin take off, and Mondex disappear from the digital currency market?
A few thoughts:

  • A programmer in their spare time, with almost zero capital, could not create/mine Mondex (money)  and almost zero effort, at least those at the top of the mining pyramid ?
  • Bitcoin is heavily skewed to these original miners, more like a pyramid selling scheme, than a currency, the Gold reference is also a con, to justify this skewed scheme, and provide the early miners a significant monetary advantage which everyone following or participating in bitcoin is paying for (the pyramid).
  • People have been sold a bogus concept, that "crypto" equals security, when nothing could be further from the truth. The whole "crypto" equals "trust" is simply beyond belief, yet this flawed concept underpins bitcoin.
  • Mondex was created by the Banks and hence had has all of the establishment "baggage",there was no room for non banks to play in the "Mondex Money pond" even though it was anonymous, truly distributed, and secure?
  • There was minimal ability within Mondex for "laundering" of money, due to the lack of any anonymous "mining process".
  • No mandatory or even minimal security is required in bitcoin, zero independent security evaluations exist. The need for "real" security was an impediment to Mondex adoption.
  • Bitcoin runs on the same irrational basis as caused millions of people, to up and leave their homes, and families to travel all over the world, to "mine" gold, diamonds and almost everything of value. Mining does not need to be rationalised.. bit like gambling or many other aspects of our society.

Where else, outside of bitcoin, can a computer simply print money and people line up to buy it with a fiat currency or something of real value? There is in fact no need for any human involvement at all? This is a conceptually broken concept.

Anyway, enough of Mondex vs Bitcoin and history.

Lets focus on the good bits from the Bitcoin BlochChain, and what it means for Accountants and FinTech Ledgers generally..

The concept of securing accounting ledgers with BlockChains is not new, many accounting supplies toyed with secure or triple entry accounting back in the late 1990's.. We released our first secure Web Ledger back in 2004. And yes accountants and users alike hated it, as they could not simply delete/alter transactions like they could with all existing SME desktop and can do today with the latest generation cloud accounting systems. How times change..

So what has changed since the 1990'? Today there is a market acceptance for crypto ( right or wrong) and cloud accounting ledgers. The Cloud has become a commercial reality.. Also there is a fair bit of the basic Bitcoin BlockChain that is useful to the next generation secure ledgers, rather than just an dedicated payment system. i.e a Ledger secured by a BlockChain for anything.

So what is required to be fixed in BitCoin to meet a secure ledger application.


  • There needs to be actual security applied to the blockchain, this means there must be at  minimum, some elements that are secure, i.e. a Hardware Security Module(HSM) which protects all critical "secret" elements of the blockchain system. Very basic for overall system integrity and risk management
  • The "printing" of bitcoins must go, the removal of miming also removes a number of the side issues within bitcoin.
  • The consensus process can also go as not relevant, this is a poor mans "trust chain, that can compromised, especially when the mining return trends towards zero. 
  • The centralized and endless growing bitcoin blockchain needs to also become a fully distributed blockchain, which can still be navigated on a global basis as required.
  • A Trusted Third Party, needed to replace the "consensus" and "work factor" elements.

What is the role of the Accountant/Auditor in this new World?
The same as the old world, the Accountant adds "trust" and a lot more trust than  any crypto algorithms does.

To this end, we have added a secure blockchain to our Cognition Cloud Accounting Engine, which is available to all FinTech or other VAR's. Note solving the general secure ledger problem, is  bit simpler than creating a payment system.

The accountant can add "trust" to the blok chain, in the identical manner they do today, in our case they append their audit signature to the blockchain at the appropriate points, reconciliations and year end audits as an example, if required multiparty signatures can also be applied, to suit various applications.

Our  BlockChain is underpinned by a cloud based HSM (similar to Mondex, except in the Cloud), and traditional mature crypto, digitally combined with TTP and Accountant audit processes, The resulting secure Ledger, can be applied to any accounting process.

The future is here today,and can be applied to all accounting applications,
Typical usage:

  • Financial accounting
  • Portfolio management and broker trading
  • SMSF solutions
  • and much more.


Accountants and "Trust" cannot be replaced with cartographic algorithms, and money printing..

We believe, the future for the next generation "Digital Knowledge Accountant" is very rosy, robots and cryptography are not a threat to trusted knowledge workers..

Check out the our next generation public block chain ledgers, and initiative to secure global electonic commerce our Free Bitcoin ECDSA private keys.


The author has no commercial relationship, with Mondex, it is simply a technology that existed within the digital money market place, and one which was technically interesting to the Author, and is still the only one that has a strong security platform which under pins the currency transactions, and had meet  the normal social "trust" requirements.


Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Tuesday, March 31, 2015

Digital disruption, the big Bang...

Technology is destined to transform almost every major industry and change the way we live, work, and play in the near future. 

All Australia’s business including  practices do not need to look far into the future to see the new wave of digital disruption headed towards them. It is already here, transforming the way companies and operate and how they engage with their customers. It is estimated at lest one-third of the Australian economy faces imminent and major digital disruption 1.

The same technologies that opens up unprecedented possibilities and the innovations which are changing economies and markets, and reinventing relationships between organisations, suppliers and customers; also have the potential to totally decimate existing markets and businesses.

Digital Disruption is changing society.

Whether you’re delivering goods or services online recruiting new talent via LinkedIn, developing a mobile app or ditching your document retention department, you’re already experiencing the upside of digital technology.

In some ways, today’s innovations – broadband, smartphones, the cloud, the ability to analyse complex data sets, social media and other tools that make it now possible to ‘digitise’ a whole business..

The above is nothing, new... what is new is the "gestation" time.

It took a decade to get rid of typewriters and typists, we pioneered "Cloud" technologies back in 2000, they are just maturing in 2015... the real pace of change has been very slow..

But during 2014 all of this changed, with the likes of Airbnb and Urber..
In the space of 18 months, the whole short term rental market has changed forever, in many cities real estate agents have simply left the market altogether, as they simply cannot compete with a direct to client supply chain, 70% of all real estate in Australia is sold via online channels,  there is an explosion of DIY home sales in the last year, as sellers realise they can reach potential buyers themselves (same shortened supply chain).

Taxi owners, who paid hundreds of thousands for a taxi licence, are seeing them become worthless overnight as customers move to the same direct supply model as airbnb.

How many woman do not buy their cosmetics from strawberry net these days?

But this is just the top of the ice burg...

Not only are supply chains being decimated, but also barriers to entry are crashing down... instead of spending $500k on  a taxi licence, one simply signs up to  Urber and starts making money as a taxi owner?

25 years ago, one could start up a new bricks and mortar company in Silicon Valley in a day.. today one can create a virtual company with world wide reach with almost zero staff..

In the same way as there was a physical infrastructure within Silicon Valley, premises, corporate, suppliers ect, the Cloud offers an almost limitless range of suppliers of almost any service. Need staff simply plug in highly skilled staff from the Phillipines into a modern digital platform, and deliver their services directly to your clients.. All possible to day..

What has this to do with Accounting practices? or any Australian Business?

Your 20+ something year old staff, can now, just like the Urber taxi, start their own practice without any of the traditional bricks and mortar barriers..

As Cloud accounting software. spirals towards zero, same as taxi licences, a whole new world where the next generation "Cloud Accountant" delivers high quality accounting services directly to the client, much like AirBnB.

It's all about shortened supply chains and the low cost mobile delivery platforms, and next generation cloud software solutions.

Given the digital disruption of Urber and AirBnB, it is realistic to ask will traditional accounting practices exist in 18 months?

We believe the future is bright for the "next generation" of Cloud accountants, and that they exist in almost every bricks and mortar firm today..

Check out the next generation Accountants Web Office, the future is here today..








    

       

1. Dellotte 2015..
Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.

Tuesday, February 17, 2015

Who ya gonna call....

What does Ghostbusters theme song, have to do with your Accounting Practice?
Its all about "Trust" Its obvious, if you have a ghost, then the only call is to "Ghost Busters".


As a non-accountant, I find it strange that there is a push to get Accountants to move into the AFSL world, where trust is at a all time low..

In todays global, uncertain world, Accountants should be proud that they have retained the trust of their Clients. There are many reasons for this, but like most things, clients and the general public have long memories, and the typical local accounting Practice has stood the test of time, and maintained a consistent image within their local and national communities.

Going forward, I predict "Trust" will become the single greatest asset any Practice has.


What is professional trust?
Beyond the definitions, professional trust is the confidence that one has in the people and organizations that work and deliver professional service to the extent that one can rely on their work product, opinions, and judgments..


When professional trust is low, we construct and prescribe formal systems and attempt to ensure that we receive a specific behaviour from professionals. There is a general threat of punishment if we don’t achieve the prescribed formality. This is a loss of respectful regard and has the effect of reducing the benefits of professional reliance.
See anything  familiar about this approach?


When professional trust is high, we rely more on those personal professional connections and develop understood ways of working together. Practice aptitudes that involve diligence, pursuit of competence and reasonableness are evident in behavior.


Like most things within a Practice, one needs a set of procedures, policies and culture to ensure that a "trusted" result is always delivered to the client.


Modern Cloud based Practice Management, with embedded quality, and workflow, scheduling systems underpin a modern Practice service delivery, and client experience.


Check out Accountants Web Office, today...
Your future awaits...





Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.