On 1 October, the public health insurance exchanges being created under the U.S. Patient Protection and Affordable Care Act [pdf] are planned to open. Last week, the U.S. Department of Health and Human Services Centers for Medicare & Medicaid Services (CMS) said that the Data Services Hub used to determine a person's eligibility for government subsidies for this new healthcare program was “ready to go,” according to Reuters

The CMS stated that, “The completion of this testing confirms that the Hub complies with federal standards and that HHS and CMS have implemented the appropriate procedures and safeguards necessary for the Hub to operate securely on October 1.”

The CMS announcement was very good news indeed considering that: (a) The data hub “can access personal records from seven different agencies—the Internal Revenue Service, the Social Security Administration, the Department of Homeland Security, the Veterans Health Administration, the Department of Defense, the Office of Personnel Management, and the Peace Corps—in order to determine eligibility for exchange subsidies and mandate penalties,” according to Forbes. (b) The HHS Inspector general  had released a report [pdf] in August seriously questioning whether the security of the exchanges could be completed by the 1 October deadline, given that a previously estimated 51-day security review was completed in only 10-days. And (c) the exchanges are likely a priority target for hackers.

The good news didn’t last long, however.

Government Executive magazine ran a story this week that reported that “due to limited means, Health and Human Services Department internal watchdogs do not intend to examine key security designs they did not have a chance to assess during [their] recent audit.” Apparently, while security risks posed by the exchanges are an important concern, it was only one among many needing assessment that was competing for HHS “limited resources.” The higher priority risks—technical and political—were that the exchanges weren’t going to be officially “open for business" on 1 October, the HHS implied.

Republicans have grabbed onto the security doubts as a political gambit to postpone Obamacare, which they are threatening to do by other means as well. Their case was bolstered a bit this week when a Minnesota exchange employee accidentally “sent an e-mail file to an Apple Valley insurance broker’s office on Thursday that contained Social Security numbers, names, business addresses and other identifying information on more than 2400 insurance agents,” the Star Tribunereported. While small from a numbers standpoint, it was significant from a political perspective.

Politics aside, the Obama Administration better hope that not only is the Data Services Hub secure, but that all the state exchanges are secure as well. If a major breach occurs at an individual state exchange, the public will likely view all health exchanges regardless of ownership as being insecure. With “software issues” already occurring in exchanges (Iowa’s Gov.Terry Branstead this week basically said to expect problems with the state's exchange), any data breach could sour more of the public on Obamacare. (A recent survey showed that 53 percent of Americans view the law unfavorably.)

Security a Wee Bit Lax at NSA

NPR radio’s Morning Edition interviewed National Security Agency’s chief technology officer, Lonny Anderson and other unnamed government officials this week, who provided more details on how Edward Snowden was able to make off with the treasure trove of highly classified NSA documents without getting caught. According to the NPR interview, as part of his job, Snowden was able to access part of the NSA's intranet website where the documents he stole were put “so NSA analysts could read them online and discuss them. Anyone with the right top secret clearance could visit that page and read the documents. … As a systems administrator, Snowden actually had the responsibility to go to that intranet page and move especially sensitive documents to a more secure location.”

In fact, Snowden was “actually observed accessing secret documents, but the assumption was he was just doing his job.” It was, the officials admitted, the “prefect cover” for someone wanting to steal documents.

The officials refused to discuss how Snowden actually was able to download the documents and leave NSA premises with them undetected. The hypothesis is that Snowden took them out on a USB thumb drive. As of last June, some NSA computers still allowed access to USB thumb drives, a practice highly restricted in DoD since 2008 because of a major security breach.

 Anderson told NPR that the NSA finally has a good idea of what Snowden took, but that has taken four months of effort even with hints from Snowden himself. So much for NSA’s vaunted 100 percent audit capability. Probably more worrying to NSA officials is that someone else already preceded Snowden but hasn't ever gone public about it.

Budding Cybercriminals Go To School

Finally, a story at ComputerWorld reports that security company RSA has found that “a growing number of experienced hackers have begun offering structured hacking courses for crooks seeking to make a career in cybercrime.”

According to the ComputerWorld story, “The courses range from the basics of online fraud to advanced courses on online anonymity tools, botnets, cleaning up electronic evidence and dealing with law enforcement.” In addition, the course curriculum follows those found at major academic institutions.

Hackers pay about $75 per lecture, with lectures on using credit and debit cards fraudulently highly popular. Lectures are usually held via Skype. The only drawback is that many of the courses are taught in Russian.

No, the story did not discuss the possible transferability of course credit towards a college degree.

Of Other Interest ….

Microsoft Issues Emergency Explorer Fix

Hackers Pool Efforts to Crack iPhone Fingerprint Reader

US Comptroller of the Currency Warns Banks of Cyberattacks

Sophisticated Cybercrime Groups Operating From China

Eight Arrested in U.K. Over Theft of 1.3 Million Pounds from Barclays Branch Computer System

“Snowden Effect” is Hurting U.S. Cloud Providers

Brazil’s President Postpones Trip to Protest NSA Spying

Cybercriminals Flock to Brazil

Brazilian Hacktivists Mistake NASA for NSA

RSA Warns Against Using NSA Breakable Security Algorithm

Photo: Stephen Lam/Getty Images

The Conversation (0)

The Spectacular Collapse of CryptoKitties, the First Big Blockchain Game

A cautionary tale of NFTs, Ethereum, and cryptocurrency security

8 min read
Mountains and cresting waves made of cartoon cats and large green coins.
Frank Stockton

On 4 September 2018, someone known only as Rabono bought an angry cartoon cat named Dragon for 600 ether—an amount of Ethereum cryptocurrency worth about US $170,000 at the time, or $745,000 at the cryptocurrency’s value in July 2022.

It was by far the highest transaction yet for a nonfungible token (NFT), the then-new concept of a unique digital asset. And it was a headline-grabbing opportunity for CryptoKitties, the world’s first blockchain gaming hit. But the sky-high transaction obscured a more difficult truth: CryptoKitties was dying, and it had been for some time.

The launch of CryptoKitties drove up the value of Ether and the number of transactions on its blockchain. Even as the game's transaction volume plummeted, the number of Ethereum transactions continued to rise, possibly because of the arrival of multiple copycat NFT games.

That perhaps unrealistic wish becomes impossible once the downward spiral begins. Players, feeling no other attachment to the game than growing an investment, quickly flee and don’t return.

Whereas some blockchain games have seemingly ignored the perils of CryptoKitties’ quick growth and long decline, others have learned from the strain it placed on the Ethereum network. Most blockchain games now use a sidechain, a blockchain that exists independently but connects to another, more prominent “parent” blockchain. The chains are connected by a bridge that facilitates the transfer of tokens between each chain. This prevents a rise in fees on the primary blockchain, as all game activity occurs on the sidechain.

Yet even this new strategy comes with problems, because sidechains are proving to be less secure than the parent blockchain. An attack on Ronin, the sidechain used by Axie Infinity, let the hackers get away with the equivalent of $600 million. Polygon, another sidechain often used by blockchain games, had to patch an exploit that put $850 million at risk and pay a bug bounty of $2 million to the hacker who spotted the issue. Players who own NFTs on a sidechain are now warily eyeing its security.

Remember Dragon

The cryptocurrency wallet that owns the near million dollar kitten Dragon now holds barely 30 dollars’ worth of ether and hasn’t traded in NFTs for years. Wallets are anonymous, so it’s possible the person behind the wallet moved on to another. Still, it’s hard not to see the wallet’s inactivity as a sign that, for Rabono, the fun didn’t last.

Whether blockchain games and NFTs shoot to the moon or fall to zero, Bladon remains proud of what CryptoKitties accomplished and hopeful it nudged the blockchain industry in a more approachable direction.

“Before CryptoKitties, if you were to say ‘blockchain,’ everyone would have assumed you’re talking about cryptocurrency,” says Bladon. “What I’m proudest of is that it was something genuinely novel. There was real technical innovation, and seemingly, a real culture impact.”

This article was corrected on 11 August 2022 to give the correct date of Bryce Bladon's departure from Dapper Labs.

This article appears in the September 2022 print issue as “The Spectacular Collapse of CryptoKitties.”

Keep Reading ↓Show less