SAFE Network concerns from an old employee

@dirvine I hope you have a hard limit to the amount of time you spend on the forums.

Maybe MaidSafe could hire a hacker dedicated to breaking Safe, and part of their job would be to respond to forum posts describing hypothetical attack vectors.

10 Likes

You are kidding right? What’s your next claim, that SAFE has a hidden blockchain somewhere inside which you can easily fork to get someone’s Safecoin?

This is how you join the network (and therefore your group). You can’t pick your own group nor your address. You can’t target an address whatever calculated prefix you use. It’s like total nonsense. Same for empty groups. “Hi there, we are a bunch of connected nodes on SAFE but we are in an empty group!”. You are part of a group or your not. Nothing in between.

10 Likes

I really like the idea, but it’s probably too early. Or a bounty program, would be good later on.

Oh yea, I think the community is very important so am prepared to spend a lot of time here and bounce info back to the team. There is a limit but a ton of great info comes form the forums so it’s a fine balance. We do not often have super long posts like this, but occasionally folk do appear and have a bunch of all over the place points to make. So the balance is a tenuous one at times, but the community awareness is well worth it.

We are hiring outreach people at the moment who will take up much of that work though as well as the dev forum where more of the Engineers will frequent for deeper technical discussions. So all shaping up well, I always feel a small company should hurt before it expands and that is cool. So expansion time is long overdue for us :wink:

The Engineers working on this are pretty good at attacking every line of code and idea as well, so there are hangouts that last many hours debating some of the finer points. These are tiring for sure, but again well worth it.

Bug and security bounties are 100% going to exist, but we need to be further along before they are helpful instead of a hinderance. That time is getting very close now though and most of the guys are looking forward to that AFAIK.

11 Likes

Are you saying that Proof-of-Work exists only on the context of blockchains? As far as I know it was invented as anti-spam measure for email, and email has nothing to do with blockchains…

Nope, it probably will be implemented in some SAFE Apps or protocols as well. But it’s definitly not part of Disjoint Groups. To say that POW is part of DG is like saying a Tesla does have a combustion engine. It’s very far off.

2 Likes

Thanks very much for the links - I shall study them before commenting further.

Remember, this is still work and arguably important work. I know I get the same feeling when someone is pulling me away from some code, but sometimes you are the go to man on things and that can’t be helped. I appreciate your time on this and I am sure others do too who want to be sure everything essential has been thought of.

Maybe a technical FAQ would help? A lot of what is in these threads is tremendously valuable, but it needs curating to stop the same things being asked repeatedly.

1 Like

No worries, hope it all helps, there is a faq and wiki as well :smiley:

1 Like

Wow man, no need to go there … Just returning to this thread, but to answer your question—and to ignore your tone—I was reporting on a discussion I had with someone in the Trollbox. So probably FUD, but they didn’t come across as ill-motivated. As I mentioned, the tech details are out of my wheelhouse. Just thought I should pass it along regardless, if another community felt the issue was “unresolved.” Totally free to ignore, but … The MAID community should be strong enough not to lash out when another member tries to inform them of what seems to be going on in other circles.

1 Like

Just returning to this thread, but … I admit the details are really out of my wheelhouse. It didn’t immediately strike me as intentional FUD, so thought I’d mention it here just b/c it seemed like the opinion was taking place in a community / beyond one person’s personal viewpoint. Mostly I mentioned it as a “marketing awareness” thing, not b/c I thought whatever claims were being made had any validity (again I can’t judge on that level, and trust the team 100%), or necessarily required a response. My apologies, though, if this was an unnecessary side-track. I haven’t heard anything more about the issue, so am assuming it … wasn’t one :).

1 Like

Not a worry in any case, glad to know really when things are being said so we can check we don’t miss anything we should have been looking at in terms of the tech. Better to know than be surprised. :smiley:

6 Likes

Wasn’t a lash out… sorry if you took it that way.

1 Like

I don’t think fanboy hand-waving helps our credibility or the cause so I have been resisting it for days, but I can’t just stay quiet… this whole thing seems to come down to ego and nothing more (a forgiving interpretation of the facts at this point imo).

What should have been questions posed by a curious mind either in public here on the forums or direct to maidsafe were instead phrased as “serious issues” with the software described by an ex-employee. The problems were never in the code/design, they were in his understanding of it, but with an inflated ego (as can be clearly seen all through this) the issue becomes maidsafe’s problem rather than his own problem grasping it all. The lack of modesty throughout is a huge red flag to me. Lack of ego is one of the reasons I learned to trust David. Ego is as much the mindkiller as fear and many of us here know all too well from our own experience how easy it is for bright people to dig these holes when their judgement is clouded by arrogance.

It seems like all of the technical points are baseless, inaccurate or just ‘nothing new’. He is either digging this hole because he is being paid to, or because he really believes he needs to save the 18 staff members and thousands of invested community members from their own ignorance with his great insight (despite not bothering to really check how things work before he gave his critique). Either way, the only way this discussion ever becomes really helpful is if the intentions behind it are to help, instead of trying to play the game of “who’s right” in order to win it rather than become enlightened. Given how this conversation has gone and how helpful the insights have been so far I’d say it was ok to lash out a bit now ;).

Ok rant over… sorry, I know that we all need to stay objective and treat criticism and challenges seriously and with respect. It’s tough to swallow when it’s presented this arrogantly and as facts/mistakes/problems rather than very simple questions though.

:unamused:

8 Likes

The fastest way to find information on the internet is not to ask a question, it is to make an incorrect statement and wait for someone to correct you

Speed would seem considerably less important than diplomacy for an ex-employee who impacts their own reputation and that of the project when they go flying off half-cocked.

As I say, no problem for anyone else to approach it like that. Irresponsible/daft for someone who’s words carry some weight… until they are picked apart… their words don’t carry weight for long like that, as evidenced here imo.

Proof-of-work schemes typically use a function whose output is a fixed range of numbers, evenly distributed, and thought to be unpredictable. Since the output is thought to be unpredictable based on the input, the difficulty depends on “finding” a value in a subset of its total output range (i.e. [0-10] using a function whose output ranges from [0-255]). A prefix implies an expected numerical range. The disjoint groups RFC does not specify how the group is being calculated, but mentions the network address is 256 bits. The current code is using SHA256 (which has the properties described above) for generating a network address, which generates a 256-bit value using a ed25519 public-key as its input. So generate a random point on the curve, then walk the curve for new public keys to pump into SHA256. This is trivial to parallelize. So this is nearly identical to how proof-of-work schemes are implemented, unless the ID will be calculated through some other fashion in this new RFC.

Assuming the above is true, the ideal situation is to force the node to accept a value to use in this function as its joining the network. A client would need a way to verify that this took place, which is a tricky problem I cannot remember seeing solved.

One solution I can think of is time-based. You could force every node to input a recent timestamp, and if clients on the network had clock values synced to within some delta it should be able to verify that the value was computed recently. One drawback with this scheme is that the difficulty is tied to the size of the network, and not computing power. The network would have to be pretty large from the start, and continue to grow with CPU power.

Again, assuming some function with an even distribution is being used, there is a chance that every node in the group splitting has an identical next bit in the prefix. When this occurs, the other group would be empty. The probability of decreases as the size of the group splitting increases. I thought it was an interesting edge case to consider.

Lots of assumption. Whats the saying again… assumption is the mother of all fcukups?

1 Like

When you ass-u-me things you make an ass out of u and me. (Sorry folks I had to)

4 Likes

It seems many want to see some official response to these types of queries or critiques. As well, David would like to see them incoming as they may be valuable at some point. One way to manage them would be to dedicate a thread to these types of “concerns” and ask @dirvine to set aside one day every second week to review and respond. The OP’s and the observers would have no expectation of immediate response - why would it even be necessary? - and the forum could weigh in anytime.

Really - It is apparent, as you have made it clear - this is out of control. There is an old saying “Do you want to win the battle, or do you want to win the war?” You cannot, and will not win every battle and it appears you are trying.

Take control - manage the expectations - everyone wins.

Good Luck

2 Likes

Yeah looks like we keep asking for you to explain how you think SAFE works, before you critique it, have you done that part yet?

Can you please do that?

Looks like not doing that is causing lots of trouble here for everyone, @vtnerd

3 Likes