Majority-Circuits Are Good

Pretty interesting writeup of a hack on the SWIFT banking system last year:

One thing that is astounding to me is the fact that the SWIFT network seems to rely on human bankers to double check paper receipts. And that the system checks rules on the individual client computers. Endpoint nodes, in other words.

I would have expected that given the volumes of money involved, there would be majority-circuit systems in place: i.e. one Windows machine, one Linux machine, one Mac machine, which all have to validate transactions using identical input. Inconsistencies in output would then indicate whether some kind of hack was occurring on one of the three systems.

This would prevent any single point of failure from causing invalid transfers to occur and it would mean anyone wanting to crack your system would have to find 0-day vulnerabilities on at least two heterogeneous machines.

On aircraft, this kind of multiple redundancy means that many critical electronics units have two or possibly three systems processing the same information. Sometimes this also means multiple power supplies, multiple AFDX networking switches, even potentially using two different CPU architectures and two different compilers to guarantee that bugs can be identified and mitigated in these foundational pieces.

Surely, I would hope money transfer systems have this kind of multi-layer defense-in-depth?