Monthly Archives: June 2016

Blockchain White Paper

Posted on by

By Joseph Raczynski

Abstract: This white paper discusses the history, inner workings and applications of blockchain, an online public ledgering system, and how it will soon significantly impact many aspects of the legal industry. The first part of this paper will show the marvels and the pitfalls of Bitcoin and its underlining blockchain technology. The second part will describe what full global adoption of a cryptocurrency and blockchain technology would entail. And the third will explain the potential legal implications of blockchain technology.

 

Blockchain White Paper – Joseph Raczynski

Blockchain Has Arrived in Legal: Important Observations from Consensus 2017

Posted on by

By Joseph Raczynski

Originally published in The Legal Executive Institute

blockchain

NEW YORK — There was a real moment of inflection recently for me in how I think about the coupling of the legal industry and Blockchain. Having been involved in Bitcoin since 2011 and an evangelist on the topic with dozens of talks in the U.S. and Europe, I found myself in a very surreal place at the recent Consensus 2017 event.

I would describe my time there as a seminal moment as it pertains to the technology. Consensus is the largest conference covering all things Blockchain in the US with approximated 2,500 attendees.

Of the hundreds of conferences and events and I have attended over the years, there has not been a place with as much genuine euphoria as there was during these three days. Certainly, the fact that newly minted millionaires were everywhere did not temper the mood (more on that in a moment). There are a few reasons for this abounding palpable elation which I will detail below.

Blockchain Has Arrived in Legal

There were a host of companies that where sharing their wares. Some were vaporware, others left me as thrilled and warm-hearted as a father seeing their kid walk for the first time. One example, coming from Deloitte, most clearly demonstrates the cusp upon which the legal industry now finds itself.

Deloitte took their first toddler steps in advancing Blockchain in legal, and I was in awe. They were able to take contract automation software, write a contract and load it onto the Bitcoin Blockchain. This is a concept I had tinkered with myself while coding at Thomson Reuters last year, but Deloitte has since made my childish dream into a reality.

The example used in the demo involved taking the process of drawing up a lease between a landlord and a tenant. The lease agreement had a GUI (General User Interface), or a simple questionnaire which would fill in basic information about who was to rent the fictional apartment on the Upper West side of Manhattan. My name, current address, date of move-in and move-out were automatically populated into the document with the contract automation software. Once the tenant and the landlord agreed to the terms, a button was presented to digitally sign the document — creating a hexadecimal hash (a string of letters and numbers unique to the document). That unique string was then saved to the Bitcoin Blockchain.

If either party ever wanted to reference that document again they could use their private key (another string of numbers and letters) to verify the contract details. If even a lowly comma were to change in the document, the entire hash would be invalid and the document rendered null.

Witnessing this demo was groundbreaking for me and something most transactional attorneys will need to be familiar with soon. There are loads of theoretical examples of how Blockchain will work, but not as many significant current implementations as of yet. As I have been promising, with little tangible proof until now, this will be the initial use of Blockchain technology that all firms will be adopting in the not too distant future.

vending

ICOs & the New Gold Rush

The other main theme at the conference was “New Money Everywhere”. The money is coming from Initial Coin Offerings, or ICOs. This discussion around ICOs permeated nearly every conversation and session held at the event. While I had watched ICOs over the last eight months, I had not bought into the idea completely. For background, the ICO is essentially like an Initial Public Offering (IPO) whereby in the a company raises funds by going public via an offering of stock to the public, usually through an investment banker. That stock is then listed and publicly traded over a public exchange; the company must also register with the Securities and Exchange Commission and make regular public filings.

With the ICO, however, a company raises funds via their own website in a crowdfunding-like manner. Often, they post a whitepaper describing their business and how they plan to use the funds — not unlike a IPO’s initial documents. The magic here is that the fundraising leverages the Blockchain to store the information about who contributed, how much and when. The process of storing the aforementioned information securely on the distributed ledger uses “Smart Contracts” which is an enormous development in this space (again, more on this later).

Current regulation in the space is generally non-existent. However, to avoid the suspicion of impropriety and any confusing regulations, companies have designed it so that if you wish to invest, you “donate” your funds via Bitcoin or Ether (the second most popular cryptocurrency). Once you offer your Bitcoin to them you are typically given shares in the company referred to as “coins” or “tokens”. Those electronic coins bought at the ICO rate are eventually listed on publicly traded cryptocurrency sites.

Recently, this is where the mania has ensued, and the millionaires flush with digital currency dwell. Often investors see a huge bump in price when their coins hit the exchanges, followed by a seesaw movement in valuation until the next ICO is released. Traders tend to be fickle as they move in and out of flavor-of-the-month coins and onto the next shiny ICO. These offerings now seem to happen multiple times a week compared to handful a month last year.

consensus

Typically, these ICOs have an open window for people to invest for a week or two but one company called EOS which specializes in “Decentralizing Everything,” will have their ICO for the next 360 days. When making a donation to invest in the fledgling company they offer rather large numbers of digital tokens for Bitcoin or Ether. In the example of Civic, which is a secure identity platform, they requested US dollars for their token, called a CVC, at a rate of one token for 10 cents, with a typical order of $1,000 netting the buyer 10,000 tokens. As an order of magnitude, people that bought in would have made seven times their money in about a week, as the currently CVC token is now valued at 70 cents.

The amount of money invested in ICOs is remarkable. While at the conference, the value of all companies’ combined tokens or coins was pegged at more than $100 billion dollars! This valuation was in the few billions not long ago. Put another way, all of the companies who have launched ICOs are worth more than Morgan Stanley at $78.3 billion. according to current stock valuations.

As you may have gathered, there is tremendous opportunity with ICOs for law firms, in-house counsel and government agencies. Blockchain practices within law firms have emerged across the globe, specializing in assisting companies with the process of the ICO. CooleyPerkinsCoie and Holland & Knight are three innovative firms that have highly specialized attorneys working in this space.

The amount of money invested in ICOs is remarkable. While at the conference, the value of all companies’ combined tokens or coins was pegged at more than $100 billion dollars! 

Also, many regulators are carefully watching from the sidelines which was a point of discussion during the event. To that end, some firms are providing guidance in areas considered confusing for all parties: Federal and State money services law, privacy and security, Intellectual Property and Money Laundering as it pertains to these cryptocurrencies and to Blockchain.

While the eruption of these coin offerings are in general considered to be very positive, lately there have been some challenges. Not unlike what happened during the dot-com IPO boom of the late-1990s, the ICO market is increasingly seeing potential phantom companies that are trying to leverage this mania to turn a quick buck without a real business case. In the coming days or months we will likely see an ICO go very wrong, resulting in thousands of people losing millions of dollars and ultimately upsetting the entire ecosystem.

At that point, several aspects of the legal industry will begin to take shape — first and foremost, there will be a call for regulation both domestically and internationally. Beyond that, I would foresee possible class action lawsuits following, also not unlike those that followed the dot-com bust of the early-2000s. Recently ICOs have strictly forbidden citizens of some countries (mainly the U.S.) from participating in their offerings for fear of lawsuits.

The Initial Coin Offering is an incredibly exciting use of Blockchain technology for business and individuals. The Blockchain’s use of the smart contract to record information, execute actions securely and in a distributed manner is revolutionary. At this moment in time, the technology slashes the middle man in what was a very profitable business once reserved for the big banks and whale investors. With that said, we are in early days — so while billions of Euros, Dollars, Yen and every other major currency races toward these new company ICOs, the legal industry is charting a path to assist… or eventually, help sort through the wreckage.

LegalSEC: Email Security is Priority One for Law Firms

Posted on by

By Joseph Raczynski

BALTIMORE, Md. — “Three strikes and you are out of the firm.” This is the mantra of one law firm when dealing with employees who click on spear-phishing emails, according to Mounil Patel, Strategic Technology Consultant at Mimecast, an email and cloud security firm.

Patel’s comments came at the recent gathering of legal tech and cybersecurity officials, the LegalSEC Summit, presented last week by the International Legal Technology Association (ILTA) in Baltimore.

Simply stated, email is currently the largest hole in law firm and corporate security. Most other aspects of the firm have been shored up over the last several years, including firewall and antivirus protection, malware defenses, and monitoring of networks. However, as Patel pointed out, a law firm can have every monitoring and protection application in place, but email’s reliance on the human decision factor creates major headaches for the firm’s IT staff.

emailTo illustrate, Patel described one incident where he received an email from someone with whom he had worked years ago at a previous company. The email was directed to him and clearly appeared to be from his old colleague’s email address. The cordial note brought up some of their old connections at the previous company and then asked if he would kindly review the attached resume to see if there might be a fit for him at his new company. Patel naturally opened the PDF and the virus payload was released. The point is, with today’s more sophisticated email attacks, there is almost no way for people to know what are genuine correspondences from friends or colleagues and what is a “virus bomb”.

Patel’s advice:

  • Be suspicious of everything that comes into your inbox especially from the outside;
  • .EXEs and .ZIPs files should always be blocked or deleted;
  • PDFs can be difficult — be sure to run the latest patches from Adobe (creator of PDFs);
  • Be aware of where links and URLs are taking you;
  • Law firm or company IT departments should send weekly notes to remind people to be cautious; and
  • For finance, use internal non-email based systems for wire transfers and notifications.

 

It is interesting to note that many law firms and corporations are internally testing their own employees with such targeted spear-phishing attacks similar to the one Patel received. A client of Patel’s ran one such email security campaign and when an attorney was caught opening the attached files or following the links, that person immediately received a pre-recorded message via voicemail from the entire executive partnership that such behavior was unacceptable.

The message went on to state if they were caught twice more they would be terminated — three strikes and they were out.

One best practice noted by one chief information officer at the Summit was that before you start your phishing campaign, let the firm know you are conducting this. She found that attorneys began sending IT suspicious emails proactively. In addition, reaffirm those who do not click the phishing emails, by not noting that they are doing good work.

Email will continue to dog corporations and law firms for the foreseeable future. Ultimately it comes down to humans making decision on what to open and click on. At this point in time, a well-crafted targeted email attack appeals to most people, unfortunately. (In fact, the likelihood of an executive clicking on one of these attacks is at a stunning 96%, according to McAfee.)

So, heeding some of Patel’s advice could save your organization the pains of another attack launched via email.

LegalSEC: Shedding Light on the Dark Net 

Posted on by

By Joseph Raczynski

The importance of law firms understanding the dark web

Your very sensitive private client data could be available for all to see on the Internet right now.  Technically this data would be on the Dark Net or Dark Web.  It is the portion of the World Wide Web that is hidden or inaccessible from normal browsers.  As corporations and law firms grapple with larger and more profound attacks, I think it is important to be aware of how individuals access it and what occurs there to better safeguard your firm from what is happening now.  At the cybersecurity LegalSEC Summit last week in Baltimore, Kevin Lancaster CEO of Winvale, Todd Nielson, President at ‎Secuvant Cyber Security, and Will Nuland, Sr. Security Researcher at Dell SecureWorks, spoke about the nuances around the Dark Net.

The Dark Web, born from a United States government program had positive intent from the onset.  It created a cyberspace where people in disaffected regions could anonymously visit and share ideas freely.  North Koreans and Iranians use this to congregate and postulate new ways to live.  They could then visit this space in the ether and share ideas freely without the fear that they would be persecuted for espousing ideas incongruous with their government point of view.

How to get there:

The following is not advised, but is here as an awareness of how people access the Dark Web.

Mozilla Firefox has a plugin (Tor Project), a simple free application run by a nonprofit organization which turns your normal browser into a Tor Onion enabled browser.  What that means is that the plugin creates a tunneled Internet to a minimum of 100 other locations around the world.  You are essentially establishing a proxy connection to other computers who are running the same Tor software.  This establishes a very strong sense of anonymity and security that no one knows who you are or where you live (IP address).   If I live in Washington, DC after running the plugin I may show up as living in Prague, but first being routed through 99 other cities.

darkweb

Once the application is launched you would need to find an index page, like the Hidden Wiki, which gives users a general launching off point for perusing the Dark Web websites.  It is not a pure search and find environment like Google, though some sites are indexed.  Sites are not set up with URL structure like we have on the Open Web, http://www.thomsonreuters.com.  In fact they appear to be hashed with letters and numbers in a random pattern.  They also end in an .onion compared to the normal .com that we tend to see.  So an example address might be: ijfije856ya5lo.onion.

Once there:

Unfortunately, once a user passes into this realm, there is a minefield awaiting.  The Wiki page starts with the benign and dives headlong into the frightening and disturbing.  You can buy $10,000 of fake US dollars for the equivalent of $5,000 in Bitcoin, the currency of choice.  The cryptocurrency Bitcoin is also generally considered anonymous.   Other possibilities include, hiring a hacker, buying prescription drugs, and buying illegal drugs, and acquiring arms or if you so desired, get involved in unregulated medical trials.  On the darker side, you can even hire a hit man.

Law Firm Perspective on Dark Web:

The key important piece to this post is that law firms are now being brought into the dark side.  Criminals are stealing IP information, M&A information and dropping off onto the Dark Web.  Other groups are grabbing proprietary information or sensitive client information from law firm networks and saving it onto the Dark Net to either expose the firm, or to hold at ransom.  Hackers for hire have been used to target corporations and law firms.

One of the subjects that was asked of the panel, how should firms handle the Dark Web?   In my time consulting around this subject, I was curious about the response.  The group was split.  Some thought that companies should not use their own networks to access the environment, others stated that in a controlled access situation, they could monitor what is going on the Dark Web to protect their brand.  In fact, it was stated that nearly two million people a day visit, but most are monitoring what is happening.  Law firms and corporations should be looking for client names, login and passwords, email address of their respective company.

With the increase in cyber-attacks, all entities have to be aware of how the hackers operate.  Understanding the Dark Web in the context of this is part of the due diligence for any corporation or law firm today.  Fortunately a new wave of companies are surfacing which can monitor the Dark Net on behalf of your organization.

LegalSEC: Cybersecurity, Rooted in 500 Years of History

Posted on by

By Joseph Raczynski

Learning from colonial piracy about the war on cybersecurity 

“It is a small world.  It’s a fragile world.  No one is safe until everyone is safe.”  These are the cautionary words of Rod Beckstrom of The Rod Beckstrom Group, the keynote speaker at the cybersecurity LegalSEC Summit last week in Baltimore.  With over 350 legal technology professionals leaning into his every word, he set the stage for where cybersecurity is headed with an advisory tale from history now repeating itself on the Internet.  His intent, to arm the guardians overseeing 80-90% of the country’s IP information all sitting in the same room at that moment in time.

History of Pirates

In 1491, the “Erdapfel” of Martin Beheim was created.  It is the oldest surviving terrestrial globe – excluding the Americas.  This sphere was cutting edge technology of the day.  Like any technology its uses can be for the betterment of humanity or its decline.  Not surprisingly, around the release of the globe, piracy began to flourish.  Seafaring scoundrels viewed the world anew with this technology and seized upon its bounty.

These salty scofflaws took four unique forms in their day.  One group of pirates were sponsored by the Dutch, Spanish, and British empires respectively.  Another group realized they could band together using their private ships to attack on the high seas for gems and precious metals.  The third formed a coalition around pirating for a cause.  The last group were one-off ships that would attack others for jewels or money.  These four pirating entities have a present day adaptation.  They translate to State Actors (e.g. China, Iran, North Korea), Organized Crime (e.g. in Russia or Estonia), Hacktivist (e.g. Anonymous) and Lone Hackers (e.g. anyone and everyone).  One new addition, in the Cyber Age there is also the internal threat to organizations known as “Insider Joe” attacks which are very prevalent.

keynote

Present and Future

As Beckstrom described in this presentation, the wars over the years require time for forces to align.  During the Nuclear era, once the major powers acquired these arms, everyone realized it was in the best interest of each country not to use them, i.e. mutually assured destruction.  This is ongoing right now with Cyberwar.  He said that China or Russia could hobble the infrastructure of the United States tomorrow, but they realize that if they did that, the US would do the same to them, therefore no one conducts this sort of cyber-attack.

Law firms are not a sovereign territory so all aforementioned groups are threats and in turn are seeking them out.  These groups have tools which are sold on the Dark Web as out of the box solutions and can wreak havoc for firms in very little time.  In the graphic below Beckstrom outlines an ecosystem where various parties work together but in isolation to earn money or take down a company.  The scripts are created by people and sold to criminals.  While another sets of criminals have harvested millions of credentials.  In conjunction the Criminal Operator uses both to target a law firm or corporation.  Those proceeds or goods are then routed through Mules.  These are everyday people who simply accept packages and send them along to someone else which keeps the money flowing. In most of the law firm attacks, mules are not used, instead data is either released or held at random by the Criminal Operator.

rod1

The only way to combat this said Beckstrom will be a new world of robots fighting robots (computer bots), which is now occurring.  This next era defense is sifting through huge amounts of data and applying cognitive computing and artificial intelligence with a layer of deep learning on top.  In this light he underscored the importance of preparedness.  One of the world’s largest banks, JPMorgan, has decided to pledge a half billion dollars toward the fight on cybersecurity.

Beckstrom closed with the warning to each firm CIO that the time is now to invest heavily in cybersecurity.  Every one of the attacker profiles mentioned are attempting to break in and get access to law firm and corporate information.  Prepare now because time is short – we are not safe until everyone is safe – by taking the responsibility to invest.