Vulnerability for data deletion

An corollary of my proposed safecoin vulnerability here:

A coordinated attack, I’m thinking a voting app to pick files, could delete data.

Using the precompute method described in my previous post, a group of people could come together under a “fight child porn” banner, or “end terrorism” or any other banner with enough force to polarize a large number of people to want specific files deleted.

An app could be designed to keep track of specific file names to known “bad files”. Once a single chunk of any of there files is detected on 4 vaults running the app, a coordinated timed delete could take place. Because of the self encrypted nature of files, deleting just one chunk across the whole network would corrupt that file, not allowing it to be decrypted.

I believe (please correct me if I’m wrong) that it would only be reported as missing and downgrade a vault if it failed to produce the chunk.
I also believe that every chunk isn’t checked to make sure it still exist until that time.

If a file was deleted out of band, the network would not know until it was requested.

Also, because of the self encrypted nature of files, if an attempt was unsuccessful, it could be tried again on the same chunks / files next time they were on “deletion” vaults.

Like my previous proposal, this scales inversely with the amount of data on the network, however, if enough people unite behind the cause, I believe this is a valid concern.

This topic Churn, number of copies, and perhaps an idea brings up the point of being able to pay a little extra for more redundancy. I haven’t gotten to the point in the code where I can figure out if this is feasible, but it sounds like a good idea.

4 Likes

I don’t think Maidsafe will host the only copy of any file (for a while at least).

So, if someone deletes a file, it’ll cost them dearly, and your answer to that is just to upload it again.
Or, in fact, since Maidsafe storage is so cheap, one can run 10 or 20 sites with the same content, just in case.

20-30 sites back ended by maidsafe will still convergent encrypt all those to into chunks with each chunk stored on 4 vaults each…

For people who care more about keeping things “safe” or “clean” or whatever banner they fly under, I don’t think down ranking their vault will be an issue.

As for uploading again, see above. The chunks will still be the same (deduplication encryption) and the same thing can happen again if those chunks land on more “deletion” vaults.

Also, if a user uploads a file to safe because “it’s so safe” and deletes their local copy, now it’s gone.

1 Like

I believe a chunk is now replicated 32 times now. At the internet scale, you would need a massive amount of effort to pull that off.

If this is the case, then I agree (mostly) . I must have missed that.

It would depend on the popularity of the app. Though, the chance of getting 32 copies of the same chunk of one of the few “bad files” on vaults controlled by “deletion vaults” is quite slim regardless of popularity.

You need to insert just 1 pixel to a single frame of a video to make it “different”.

The only way to delete a chunk would be to control all copies of it, and that its a very hard thing to do. That’s a well known and much discussed attack, but that’s what you need to find a way to do for this attack to work.

I understand that. Hence my theory of an app and many people participating.

I’m doing my best to think distributedly (is that a word?) instead of linearly. Instead of a lone actor trying to control enough vaults, recruit a bunch of other people.

If enough people decided “David Irvine blog posts disrupt the fabric of the universe” they could compute the hashes of his post, everyone compare notes on what they have, and if it so happens that one chunk has all copies on vaults they control, and delete it out of band, that post wouldn’t be able to be decrypted.

Unlike my safecoin idea, this scales inversely with data AND nodes, however, if the public en-mass was polarized against something enough that a majority of people used an app (think known isis files now, or child porn), universally unliked things could be targeted and deleted.

1 Like

Good, were on the same page, however I’m not worried!

To achieve this you need 80% of the nodes on the network to act together.

If that proportion of the network want to do this its one thing, but it’s another thing for them to actually do it, even on the most polarizing of issues people are lazy.

But of course, getting 80% of any large population to agree on something is unimaginable to me, let alone to act on it.

Keep going though, this is exactly what we need, trying to figure out ways to break the network will protect it.

2 Likes

Group size is at 32 nodes during testnets, but a data manager group of 32 nodes will select a number of replication nodes (currently still maintained at 4).

1 Like

Thanks for the correction @BenMS. I must have misunderstood something, i hope I didn’t misled too many people :blush:

no on the contrary, good spotting, group size is indeed at 32 now; and a simple routing network (without vault logic) would then indeed have 32 copies of the data. Thanks to the additional higher logic of the vaults we can assign (less) nodes with specific tasks, such as storing the chunks. This is not a trivial point, and not fully documented. Nice one

4 Likes

If I understand correctly this statement would apply for a generalised situation where reasonable success is expected for a specific set of files.

But my understanding is that it maybe possible that a much small percentage would allow for the occasional file’s chunk to fall victim to this attack. Thus the security of data is compromised, even if it is one file a month or year.

Or have I missed something?

2 Likes

I think that’s correct, but again I don’t see the incentive for an attacker with so much cost and so little payoff.

I don’t see what the “so much cost” is?

The cost is in setting up:= writing special code to do this, and creating enough nodes to give you a chance of catching a chunk - then running all those nodes long enough to achieve your goal.

If you think that’s not costly, try and plan actually doing it.

It would be a sub-community effort, I think the attack is doable. Communities can be pretty fanatic in their ideologies.

One defence would be to pre-hash (or change in any way) and upload a private copy of the same public data. Deduplication won’t kick in since the encrypted chunks will be different with different ID’s. If data loss would occur due to this attack, the guy with the private copy can re-upload any lost chunks. The attackers can’t spot this private copy.

This is not a network-side defence though, so better solutions would be preferable. Still, I think only particular kinds of content would be sensitive to this attack, and the uploader or anyone else who sees this attack as a potential threat could take this pre-emptive counter measure.

Like the woman in America who sued all the world’s gays. So much cost and little to none payoff.

Many crackers crack systems for the love of it and little payoff other than personal satisfaction.

We have a thread here that has someone wanting to delete off his vault anything he doesn’t agree with.

Plenty of groups it seems that may want this sort of power and as @Seneca says ideolgies have their fanatic followers.

Just takes one hacker/cracker/programmer to create a distributed app that coordinates this attack to cause potential issues. The ease of use is simply running the app, a click on a web page, is all the effort the followers would need to do.

I do agree that it is more luck that they would be able to succeed but it is probable to occur on a regular basis. Once a day, week, month, year, who knows, but still possible.

I don’t disagree with this points, but I think the cost is high and the impact/reward very low.

I know you’ve done a fair amount of programming. Writing a program that would:
Download a list of "bad chunks"
See of you have one
Ask if anyone else has it and wait for 4 responses
Delete

Would not be hard. The hardest part would be for the fanatic creating the list… Think Warren making a list of ad files… When someone has a vendetta against something, they will spend their time on it.

If the “cause” has enough people behind it, it’s as simple as downloading and running an app. Very little effort except for the creator.

I will say, this could be greatly mitigated by not having a hard-set number of chunks stored. Some chunks have 4 copies, others have 6, some have 8, with no upper bound, see by some formula to keep them from getting out of control. A little bit of entropy would go a very long way, as it would be very hard to get a concensus on when to coordinate a delete because “all the chunks are found” would never be known for sure. David mentioned a few times that we should stay away from magic numbers. I think this should be one of those times.

2 Likes