tag:blogger.com,1999:blog-4503292949532760618.post1260143745759990669..comments2024-03-28T13:39:27.601-07:00Comments on DSHR's Blog: The Need For Black HatsDavid.http://www.blogger.com/profile/14498131502038331594noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4503292949532760618.post-5648440579920603972016-07-03T19:31:27.138-07:002016-07-03T19:31:27.138-07:00Nathaniel Popper's How China Took Center Stage...Nathaniel Popper's <a href="http://www.nytimes.com/2016/07/03/business/dealbook/bitcoin-china.html" rel="nofollow"><i>How China Took Center Stage in Bitcoin’s Civil War</i></a> is a good read, especially the diagram showing the top 3 Chinese pools controlling 59% of the mining power in the last month, and the top 4 over 70%:<br /><br />"Big pool operators have become the kingmakers of the Bitcoin world: Running the pools confers the right to vote on changes to Bitcoin’s software, and the bigger the pool, the more voting power. If members of a pool disagree, they can switch to another pool. But most miners choose a pool based on its payout structure, not its Bitcoin politics."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-76706668743907650762016-06-30T06:26:01.144-07:002016-06-30T06:26:01.144-07:00Zach Graves at Techdirt's Lessons From The Dow...Zach Graves at <i>Techdirt</i>'s <a href="https://www.techdirt.com/articles/20160624/13312834815/lessons-downfall-150m-crowdfunded-experiment-decentralized-governance.shtml" rel="nofollow"><i>Lessons From The Downfall Of A $150M Crowdfunded Experiment In Decentralized Governance</i></a> is well worth a read about the implications of the DAO attacks.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-45815883848440864352016-06-20T10:48:36.629-07:002016-06-20T10:48:36.629-07:00Kevin Marks explains the last point better than I ...Kevin Marks explains the last point better than I can:<br /><br />"This was my point at the summit - when people say 'Bitcoin is secure because if you could hack it you'd steal $7bn' it's more like 'you could destroy $7bn' Digital currencies are like stock in a conglomerate of all the companies using the currency."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-39341024271004215182016-06-19T12:44:53.622-07:002016-06-19T12:44:53.622-07:00With a second similar attack under way, Vitalik Bu...With a second similar attack under way, Vitalik Buterin has posted <a href="https://blog.ethereum.org/2016/06/19/thinking-smart-contract-security/" rel="nofollow"><i>Thinking About Smart Contract Security</i></a>, with a crowd-sourced list of known security issues in Ethereum contracts. He writes:<br /><br />"A final note is that while all of the concerns so far have been about accidental bugs, malicious bugs are an additional concern. How confident can we really be that the MakerDAO decentralized exchange does not have a loophole that lets them take out all of the funds? Some of us in the community may know the MakerDAO team and consider them to be nice people, but the entire purpose of the smart contract security model is to provide guarantees that are strong enough to survive even if that is not the case, so that entities that are not well-connected and established enough for people to trust them automatically and do not have the resources to establish their trustworthiness via a multimillion-dollar licensing process are free to innovate, and have consumers use their services feeling confident about their safety. Hence, any checks or highlights should not just exist at the level of the development environment, they should also exist at the level of block explorers and other tools where independent observers can verify the source code."<br /><br />The comments are interesting.<br /><br />A side note. The value of Ether plunged as soon as the attack was known. Bitcoin advocates often say "there is a bounty of [insert current market cap of BTC] on finding a bug in Bitcoin's code". The result of a bug would be to transfer BTC to the attacker, as with the DAO attack. An attack that transferred all BTC to the attacker would be hard to hide, and would result in the value of BTC plunging. So wile it is true that finding a bug in the Bitcoin code might make the finder a lot of money, it is a wild exaggeration to suggest that the lot of money would equal the BTC market cap. The losses to everyone else would be far greater than the gain to the attacker, who would have killed the goose that laid the golden egg.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-45851630719796837882016-06-17T07:43:54.822-07:002016-06-17T07:43:54.822-07:00As was predictable, the DAO is under attack and th...As was predictable, <a href="https://blog.ethereum.org/2016/06/17/critical-update-re-dao-vulnerability/" rel="nofollow">the DAO is under attack</a> and the fix:<br /><br />"The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be “reversed”) which will make any transactions that make any calls/callcodes/delegatecalls that reduce the balance of an account with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released), preventing the ether from being withdrawn by the attacker past the 27-day window. This will later be followed up by a hard fork which will give token holders the ability to recover their ether."<br /><br />illustrates that the DAO is neither completely decentralized nor completely autonomous.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-61908988521743334262016-06-08T15:09:48.910-07:002016-06-08T15:09:48.910-07:00I've written before about the difference betwe...I've written before about the difference between the <a href="http://blog.dshr.org/2016/04/brewster-kahles-distributed-web-proposal.html" rel="nofollow">decentralized <i>Web</i></a>, and the <a href="http://blog.dshr.org/2013/01/moving-vs-copying.html" rel="nofollow">decentralized <i>Internet</i></a> implemented by the <a href="http://named-data.net/" rel="nofollow">Named Data Networking</a> (NDN) project. During the <a href="http://www.decentralizedweb.net/" rel="nofollow">Decentralized Web Summit</a> I've been thinking about <a href="http://128.130.60.29/papers/ccn-cache-editorial.pdf" rel="nofollow">privacy in NDN</a>.<br /><br />In the TCP/IP end-to-end world, traffic between the endpoints is very likely to transit the "backbone", so it is very likely to be observed by the NSA and others who have taps into the backbone fiber networks, and everyone legitimately along the path between the endpoints. And routing can be manipulated, for example to ensure that the path between US endpoints includes segments overseas so that it is legal for the NSA to intercept it.<br /><br />In the NDN, in effect each "router" or cache satisfies the requests from its downstream clients (hosts or caches) from its cache, and only forwards cache misses upstream. Thus in order to be sure you see all the traffic for a particular endpoint, you have to be between the end-point and its closest "router". This is mostly the case examined in <a href="http://128.130.60.29/papers/ccn-cache-editorial.pdf" rel="nofollow"><i>Privacy Risks in Named Data Networking</i></a>. The more "routers" there are between the end-point and your observation point, the less you will know about what is being asked for and which endpoint asked for it. And in order to manipulate the "routing" you need to disable all the caches between the endpoint and your observation point.<br /><br />Thus it appears that NDN doesn't do much to inhibit targeted surveillance of individual endpoints, but it does much to reduce the value of taps into the backbone for enabling dragnet surveillance.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.com