Evicting vaults - brainstorm

One thing that doesn’t seem to be being factored in here is that as a node ages, it’s not only getting a record of trustworthiness, it’s also collecting vault storage that will increase its safecoin-return probability – i.e., skin in the game, potential future loss.

While this point doesn’t wipe out the google attack potential, it does make it a lot more expensive.

Also, we need to remember that with disjoint sections, there’s not much gold mine to be harvested by bad behavior. Even disrupting consensus (the first level of attack, I think) is very difficult and not too noticeable externally. The “steal-safecoin” even is a very minimal return for all that it takes to achieve it.

All that said, “evicting” is very extreme. Occasional relocate with temporary bump from elder status to soon-to-be-returned-to-elder status should be quite enough.

4 Likes

That is how it is planned to work now.

2 Likes

I think most people would agree that short lifespans are linked to evolution. By forcing reproduction to occur early and then stop, you maximize genetic mixing. You don’t end up with Revision 1.0 organisms still creating Revision 1.1 progeny for two hundred years, when the current system of short lived organisms would have the population all at Revision 28 in a similar time span.

There is no reason for humans to continue to conform to this algorithm, since we no longer follow evolution. Survival of the fittest no longer describes civilized humans, so I say, in for a penny, in for a pound. The people arguing against extending human lifespan as being unnatural, don’t make sense to me, since we’re already unnatural.

As for SAFE, unless you intend to introduce evolution into your nodes, artificially reducing node lifespan seems a bit cargo-cultish. You’re copying something in the hope that copying it blindly will achieve something, just like a pacific islander building a headset out of coconuts to try to “radio” in airplanes loaded with supplies. That sounds more harsh than I intend, but it’s such a good metaphor that I can’t resist!

As somebody in this thread has already mentioned, if the probability of killing a good guy is the same as killing a bad guy, then statistically, you’re not benefiting the network, you’re just pissing off farmers and loading the network with churn.

2 Likes

Although, possibly, the attackers will try to destroy the reputation of the network more that an economic benefit, the control of a section would allow, not only to possess all the safecoin corresponding to the Xor space of that section, but to use them as many times as they want. And in an anonymous network like SAFE means being able to carry out a multitude of double spending before people start to realize it.

And do not forget that, also, they could get great benefits by going short on something they know is going to fail.

2 Likes

Of course, but the point is that, especially as the network matures, getting meaningful control of that “section” is fabulously expensive in terms of money, time and effort compared to the amount of damage that could be done.

4 Likes

Let’s use biomimicry as well, observing nature this is usually what happens:

  1. Young
  2. Grow
  3. Old
  4. Die

Death might bring the disadvantage of eliminating irreplaceable talent from the face of the Earth (such as ancient Greek philosophers, Da Vinci, Newton, Einstein, etc…).

Even though death eliminates good people, it also has a pragmatic side: it prevents eventual tyrants to sit perpetually in power and/or a stagnant status quo in creativity through authority.

To allow all elders, no matter how lovely they might be, to eventually reach to the end of their lifetime and die (and reborn maybe? A Nirvana/Reincarnation logic could be interesting) could be enough deterrent for these attacks…

Btw, regarding to the “Nirvana” it could check the behavior of the vault in its lifetime, tallying all the reports of misbehavior. If it is clean, it is allowed to reborn, and if has been sinful it just goes to hell.
(Btw, I know that the Buddhist concept of Nirvana is exactly the opposite to this… It would be more appropriate to call it “the Hell protocol”, but that doesn’t sound very marketable lol)

This would make @happybeing the marketplace of well-behaved nodes to be less appealing, as all of them would have an expiration date.

Just my quick two cents, I will mull a bit more about this and come back later.

4 Likes

That hypothetical marketplace has already been shown as non-viable…

So, anybody wishing for justification to allow killing well behaved nodes will need a new reason to do so, and preferably, not just “because nature does it”, since our nodes do not evolve.

2 Likes

No if the goal is destroy the network by undermine their reputation, the price of safecoin and, consequently, shooing farmers.
The network could face extremely powerful enemies, especially states, capable of spending large sums to eliminate the threat.

1 Like

I am not sure I understand what you mean by the constant relocation.

My understanding is

  • There is the “random” node address allocation when a node is joining
  • There is the relocations when sections split or merge

And both of those are very much needed. The first is needed for security and is simply allocating a section for a new node. And the second is needed because otherwise we end up with a few massive sections that were setup initially.

But of course the counter con to this is that as you retire elders this gives a baddie node an opportunity to become an elder. Now is it cheaper to flood with nodes waiting for elders to be forced into retirement or to pay big dollars for a chance at getting an elder or two.

Moving equipment could make the node(s) lose eldership when it comes online again. Or transferring the cloud instance may cause a break because the cloud provider forces the instance to be stopped as ownership is transferred. Whereas flooding nodes is just a time game. In both cases it requires a good amount of funds anyhow.

Farmers will not have multiple vaults where they have 2 or more in one section. Otherwise the baddie would be able to do so with a node flood and that would be easier.

tl;dr
Whats the balance, which way is easier, well that is the question isn’t it

This might be an alternative to retiring elders. But does it improve security. Because if a baddie is an elder then relocating it to another section only gives the baddie another opportunity to get into a section where the baddie already has a couple of bad elder nodes. Or it could work the other way. The point is that it doesn’t reduce the ability of the baddie. Its all random in the first place where the baddie ends up and you give the baddie now multiple chances at getting enough nodes in one section.

The farmer sells his (now empty) wallet too. Solves that one.

Not necessarily if the farmer was using a cloud instance and the farmer sells the cloud account (and wallet) so in fact the network sees no difference.

This is the negative that struck me too. Otherwise it has some very good points.

And the other main issue I mentioned is that (random wise) if you evict a good elder then you have a possibility that a baddie node will replace it and it will cost the baddie node less because of the forced evictions. And on the other side of the coin, not evicting allows a baddie to remain. In random probability (without more info) this is a 50/50 situation for security concerns. But a real bad one for those who spent a lot of time and effort to keep their vaults running 24/7

@mav have you considered the reality that most, if not all machines experience some downtime. Power failures, router failures, ISP issues, even singular cloud instances. Would this in effect be enough? Age is halved.

5 Likes

Yeah, worth considering everything. I do understand the magnitude of potential opposition.
My instinct is that the network will be so amorphous that amassing and maintaining enough situational awareness amongst malicious nodes is the main point of defense. Diminishing status of elders is a dicey thing. I’m liking the idea that elders get relocated occasionally and have to regain some part of their status.

4 Likes

What if you sell the node without the need of turning off the node?
For example, I just sold an apartment with tenants. The tenants never realized of a change of ownership, and they didn’t require to leave the premises, the only difference is that the money doesn’t reach me anymore it goes to the new owners.

What if something analogous happens with a new type of smartcontracts. The old node is never turned off, as it had been sold to your customer, even though you are physically hosting it, it belongs to someone else.
The former owner might charge you a ‘hosting’ fee instead for the physical cost of running it, while the new owner gets all the benefits.

If there is a gold in the middle of the jungle, the roads will be built to get there sooner or later.

2 Likes

Yeah but it depends on the definition of ‘bad’. Is it ‘bad’ if google starts the first 1M vaults and never stops them again, so it’s very hard for anyone else to become an elder for a very long time? Even if google do all the consensus stuff etc perfectly, I’d say the effect they have of not sharing eldership is bad.

It’s not really about that. It’s about giving an incentive to new participants, ie increasing participation. That’s a really important marketing and sales idea. I wouldn’t get into bitcoin mining right now because it’s become dominated by a few big players and I haven’t got the skills to overtake them. This effect would be worse in safe because age is time-related not skills-related so there is no chance to overtake existing operators. That effect can be very detrimental to new participation.

Agree in principle that simplicity is always preferable but if that loose end unravels the entire rope then it can’t really be left loose can it? No harm in trying to imagine the ways, even if it leads to no changes in the end.

I like this idea because there’s an ongoing assumption that being an elder is desirbale but maybe it’s not…? Being an elder entails more work and maybe some vaults won’t want to have to do that extra work, they just want to store the chunks and farm the coins. There’s a big difference in work (how big?) between being the oldest adult vs the youngest elder. It may not actually be desirable and recruiting elders may be difficult. Bit of a stretch but I like that you’re pushing a bit toward that direction.

Ah yes good catch but the idea is what matters. ‘Double trustworthy’ is maybe not the same as ‘double work’!

I think there’s no way to stop vault selling. If I wanted to buy a vault with no consequence or effect on the network, I’d force the previous owner to send me their newly farmed safecoin and give me the rights to control the vault for voting etc (ie control of the rpc for the vault). Sure the seller could screw with it because there’s double ownership but that’s like saying the person who sold you a car could still have a spare key… yet sales still happen.

This is a tough distinction and one I’m still working through. I don’t think age measures trust. It measures total work. Maybe it also measures reliabilty. But trustworthiness… it can change too quickly so I’d say trust can’t really be measured.

And then the question becomes, of ‘work’ vs ‘relability’ vs ‘trust’ which ones are rewarded and why and how much? What is actually valuable to end users? What is valuable to the network? What is valuable to vault operators? Where do they diverge and how can that best be managed? Voting? Eviction? Strict algorithmic adjustments? Energy consumption? Crytographic proofs?

I haven’t seen this specified anywhere. As far as I was aware age was only used for voting rights, not for earning rights. Got a link to more info?

Yeah this is getting into the interesting aspects of voting and game theory. If there’s no penalty for voting then the behaviours are quite predictable. But if there’s some cost to voting, the voter must weigh up the cost vs benefit of their vote and ideally the space between the cost and the benefit is what defines the value of the system. But that value must reflect the goals of the end users, not the goals of the voters. It’s a fascinating area.

Maybe evolution already exists in the form of software / protocol versions. Backward compatibility (or lack of) becomes the evolution. Some overlap between versions perhaps but eventually backward compatibility is removed and thus evolution occurs.

I think this benefits the network by giving new players a reason to feel their activity will have a chance of becoming significant. If they feel that current participants will always be older than them then they’ll be less likely to participate which creates a risk to impartial consensus.

I disagree. I think it’s not only viable but inevitible (see above).

Yes that may be enough. But my goal is not to increase security by stirring the top-end of the network harder or faster, the goal is to give new participants reason to decide to join, to increase diversity of vault ownership, to be able to say “let’s get your vault started right now” rather than “don’t bother it’s not worth it”.

8 Likes

I think I am most unhappy with the idea of punishing farmers who have done everything right, but whose nodes are mysteriously reset. The original idea was that good behavior was encouraged because a reset was so damaging to your farming rate. That incentive is reduced if they still get reset anyway.

Perhaps a farmer does not know whether or not his node is a voting elder, or just an adult. He doesn’t know, and even if he could figure it out, he wouldn’t care, because he makes the same money, either way. If the network decides to randomly allow his node to vote, and then randomly disallow it from voting, he doesn’t know, and doesn’t care, because it doesn’t effect his farming. Perhaps this is what everybody else is already picturing. Is that possible, without adding extra complexity?

2 Likes

It’s not a punishment if everyone has it and the reason is for the overall good of the network. Instead of thinking of my vault age as permanent I enter into the network knowing it’s not going to last forever and accept that for what it is. Seems ok to me.

I agree that arbitrary punishment is bad, but I don’t think this is arbitrary. It has a good purpose. Maybe not good enough to warrant actually implementing it.

Can voting eligibility be decoupled from farming rewards? I do not care if my node votes, but I do care that if it has faithfully served the network, that it be trusted to continue that contribution and be rewarded for it. If it is randomly called upon to serve a higher purpose (jury duty) and then released from that purpose, without me even knowing or at least needing to care, that seems like a win.

2 Likes

Btw interestingly, there is an interesting corpus of information from almost nine decades of research in behavioral psychology regarding the effectiveness of incentives and behavior modification.

Surprisingly operant conditioning doesn’t work when the reward is foreseeable or consistent, but when the rewards are actually random. Sounds completely counterintuitive, but that is how both animals and people get hooked, and it is the basis for addictive behaviors.

If you want to read more about it, search for the “variable-ratio schedule” (schedule as in reinforcement schedules of operant conditioning)

So, some of the concerns here are not really a problem.
Yes, you might get pissed when you lose at blackjack, but why do you keep playing it a few times more?
Or yes, we are pissed when we click a clickbait, but why do we keep falling for it?
And yes, we keep getting annoyed when we lose the lottery, but why are we buying two more right away?
“Variable-ratio schedule”, is the answer. This is universal in virtually every species on Earth.

Also there is an interesting area of research on intrinsic and extrinsic motivation.
One rule of thumb is that extrinsic rewards kills intrinsic motivation, it is called the “overjustification effect”.

Regards,

7 Likes

In this case they also control the sections, so they remove the evict code and never get evicted because any other elder (if any at all) cannot get consensus to evict them. So its a mute point at that stage

In such a case where we know that there is this situation (or lesser) then that beta is restarted isn’t it. This is really a genesis condition isn’t it.

Even google instances have downtime st some stage so it isn’t forever. Google remains online because any instance can fail and the others take up the slack. But vaults are independent so if the instance goes down then so does the vault. So there will be age halving occurring on those vaults at various times.

I don’t discount the point but thought I’d explore it further.

But farming is done by adults as well as elders isn’t it. So even if elders are never evicted then adults will still be farming so its not the same really.

Also as you have more and more nodes being added the sections WILL split and this gives a new bunch of nodes the opportunity to become elders.

I just realised this too. If you buy a good node thats an elder then how do you insert your bad node software without causing some disruption to your node and getting your age halved?

This is what will kill eviction
But of course the elder nodes may install patches that remove the eviction and thus remain forever. This may not be a baddie, but a publicly available patch to remove the eviction. It is in the interest of all people with elder nodes to install the patch. Thus the idea is removed from the network.

And of course when people upgrade they will have their age halved since the vault is restarted. So is this your forced eviction already implemented? They have to upgrade at some time eventually.

As the elders upgrade other adults get the opportunity to become elders.

And of course as new nodes are added section splitting occurs (eventually) and some adults become elders

Also is there an advantage for earnings to migrate from adult to elder??? In other words would people particularly want to be an elder? Would only baddies particularly desire to be elders in order to control the section? A whole new issue I think. Reasons to be an elder and not just an adult.

3 Likes

Good point. Farming is probably the primary value to operators, but voting has some value too.

The vault can hot-load code easily enough. It may not be standard to run this hot-load but it’s possible. If the vault-selling market takes off it creates an incentive to run the hot-load patch ‘just in case’ you decide to sell your vault in the future. Official upgrades might happen this way anyhow, right?

while forever {
    read config
    load new routines from config
    do any normal vault things in the queue
}
1 Like

To whom though.

I would think average joe and jane would be after earnings and not even consider if their node is voting or not. Then the other side is the baddie who definitely wants voting rights.

Of course you could have the node announce it has a new version as part of the protocol and this causes a age halving. The reason being the other nodes in the section have less trust in that node now.

If the baddie node never announces this then eventually its claimed version will be too old and its age halved because of that. And we could have each node announce its version for each datachain block. Thus too old version nodes are halved each new datachain block till they are no longer an elder and any new versions on each datachain block are halved. Reason being there is somewhat less trust for too old or version change.

2 Likes

Quick reminder that if an attacker has more than 1/3 of all nodes, then none of this matters.

Having said that I never really liked the idea of having long running elders (i.e for life) because they become obvious targets for coercion. In other words, an attacker that can identify elders doesn’t need anywhere near as many as 1/3 of all nodes, since they only need to target (buy or coerce) the owners of those few elder nodes.

The question then is, if the approach is to randomly kick elders, why have elders in the first place? Any node that has good uptime can be selected to participate in consensus on a random basis. However you really need to make misbehavior an expensive thing, so you need some way to punish nodes economically when they fail to carry out their consensus duties.

8 Likes