Does Blockchain Security need to be Completely Reworked?

in #blockchain8 years ago


Ever since The DAO was exploited people have begun questioning whether “Code is Law” is a practical philosophy. Today I want to challenge the notion that “Key is Law” or “Key is Identity”.

Everyone knows that if someone gets ahold of your private key, your funds will be gone without recourse. This means that property rights are defined by the ability of a person to maintain a secret.

Impossible to Secure Secrets

Maintaining secrets is practically impossible for the vast majority of the population. The only solution that has been reliable is to use multiple signatures from keys stored on different devices.

Normal people are not capable of, or do not want to be responsible for, securing secrets. It is too much stress. One wrong move and you are either locked out forever or your funds are compromised.

Securing Life, Liberty, and Property

My mission has been to find free market solutions for securing life, liberty and property. In this case, we need more robust solutions for securing cryptographic property.

Property is an abstract concept. It is the idea that something belongs to an individual, a social convention that facilitates trade and trust.

Private keys are an identity verification system. They provide strong evidence that a particular individual made a particular statement. But this evidence depends upon a secret being maintained. Not just any secret, a secret so long and complex that people cannot easily remember it. A secret so long that it impacts usability.

A system that replaces real identity with imperfect evidence is fundamentally broken. It will not get people justice. People will not feel secure. A better solution is needed.

Identity vs Evidence of Identity

Blockchains create a public record that tracks who owns what. Private keys are used to sign transactions so that everyone can validate all property transfers and eliminate any disputes over who owns what.

The problem is that private keys are not an identity. They are mere evidence. Disputes can still arise when two people both have access to the same private key.

It is tempting to say that Keys are identity, but this would be mistaking the map for the reality. This stance does not map to peoples intuitive sense of justice. It is an engineering cop-out designed to evade the hard problem of governance and dispute resolution.

Governance Occurs Anyway

We have seen with The DAO, Bitcoin, and Steem hard forks that in the event of a bug, exploit, or theft that the community can and will take action to get justice.

I have long been an advocate that ignoring a problem doesn’t make it go away. If you don’t provide a governance structure then an informal one will be created. If you are unable to achieve a workable governance model then progress will stall and people will leave.

Social Identity

On a social network we have a new kind of proof, social proof. We know who people are and generally know when someone was hacked.

Unlike money, posts and votes made by an attacker are often clearly out-of-character for someone. This makes it very obvious to everyone in the social network that an injustice has occurred.

Social Costs

When an account posting key is compromised everyone loses. All of a sudden someone’s feed can get filled with ads, their hard earned steem power (aka reputation) can be abused. They can vote up garbage, vote down good stuff, or simply flood the network causing congestion for other users.

New Solutions are Needed

The rules of Bitcoin and other crypto-currencies do not apply the same way to a social networking blockchain. It is a different market with different requirements. Here are some of the things that the network should be able to reach consensus on without requiring a hard fork.

  1. account theft and return to original owner
  2. posting authority theft and temporary censoring

Account Owner Theft

An account can only be stolen when the owner key changes. In many cases it is easy for the public to identify the real owner and in 99.9% of cases, accounts are not bought and sold. In fact, it is in the blockchains best interest to prevent accounts from being bought and sold and thereby enforcing the vesting period.

The following proposal assumes that account owners can “opt-out”. An account that opts out will assume full responsibility for the protection of the owner key. In other words, those who opt-out have no grounds to ask for a hard fork or other intervention in the event they are hacked.

For everyone else who prefers the security of the community we have a new proposed solution.

  1. for N days after every owner key change a dispute may be raised
  2. if a dispute is raised, witnesses can vote on whether or not to override the owner authority.
  3. to prevent abuse, raising a dispute costs a lot (say $1000).
  4. after N days no dispute may be raised and witnesses have no power to change owner authority.
  5. the account holder can specify how many days review can last.
  6. by specifying an infinite review period, witnesses can be used as a last-resort password recovery system.

Account Posting Theft

It is not reasonable to expect that posting keys will not be stolen, especially because they are often kept live and cached within a web browser. The entire network needs a means to silence spam spewing from compromised posting authorities.

We suggest that any account can temporarily disable the posting and voting of another account until that account logs in with their active or owner key. This is a kind of identity challenge that will prevent hackers from abusing the platform.

To prevent abuse and to compensate the individual for proving they have the active key, the challenger will have to transfer about $10 worth of STEEM to Steem Power in the challenged account. Accounts can be limited to one challenge per day to prevent excessive harassment.

Friends and Family Multi-Sig

The last level of security for an account is for people to add their friends and family as multi-sig co-signers on their owner authority. In this event an attacker would have to compromise the active keys of the majority of someones family before they could compromise their identity.

In fact, a properly functioning and secure blockchain would have every account “owned” by a group of other accounts. The larger the group and the more the account holder trusts the group, the more secure the identity.

Social Media is the key to Blockchain Security

Having a social platform is the best and easiest way to get all of your friends and family online and available to secure your account. Imagine Facebook friends on steroids. Your most trusted friends and family become the source of your identity and their collective word (active key) secures your identity and account.

Conclusion

Steemit is still a young platform, but it is building the foundation for a much more robust and secure financial platform than can be provided by private keys or primitive multi-sig alone.

Sort:  

Congrats, again the steemit platform is not just all about the fancy back-end tech but is considerate of users and usability... this is mass market and has to cater for PICNIC (problem in chair not in computer) errors

I thought that was PEBCAK (Problem exists between chair and keyboard) an Id10t error. :)

Both work, picnik sound like picnic and the ID10T's are even less likely to get it.

LOL - right. That make's sense. I love to chat with people that know these inside jokes... "Sorry sir let me help you with the I.D. ten T error!!"

A good article raising important points,and I agree on the main points.
But the big fee to raise a dispute is a horrible idea! That is really discriminating against poor people.Like myself.There is just no way I can find a 1000 dollars without begging from family and friends.

Very interesting post.

I really like your comparison of mistaking a map for reality. The complexities of proving identity have been around virtually as long as humans have walked the earth.

It's great that we're thinking and talking about these things. The concern I would have in a system like this is how does one prevent groups of malicious individuals from claiming the identity of another person? And also, how does one who's put the claim to their account in the hands of the family and friends who know them make sure that their accounts are also secure?

Unless I'm misunderstanding, an account would only be as secure as the accounts of their witnesses in a situation like this.

Great thoughts Dan! I have noticed a lot of discouraged posts lately concerning this or that issue. The truth is, the devs truly do care about this platform, they deeply care about working out the kinks and making this a successful, fair, and profitable place where valuable ideas are rewarded.

Life, Liberty, and Property.
Cheers

Agreed, we all get disheartened occasionally.

Unfortunately you are right, it is all in the back end. Bitcoin and these newer block chains have a very different back end allowing for much more in the way of hacking.

Yes! I love this discussion and your ideas make great sense. Thinking ahead, as usual.

my comment reposted somewhere else.

Thanks for addressing this Dan

We suggest that any account can temporarily disable the posting and voting of another account until that account logs in with their active or owner key. This is a kind of identity challenge that will prevent hackers from abusing the platform.

To be clear this means some kind of active key transaction?

To prevent abuse and to compensate the individual for proving they have the active key, the challenger will have to transfer about $10 worth of STEEM to Steem Power in the challenged account. Accounts can be limited to one challenge per day to prevent excessive harassment.

This is open to deep pockets, sybil attack, and could be used as a way of getting a targeted user to ferret out a powerful key at the wrong time. This idea could create more abuse than it solves.

You can get pretty good identity approximation with an offline HW device (trezor or such) which only you know pin of. To get hacked, you would need an attacker to take your device and force you to disclose pin, i.e. totally control you - for such an extreme case, definitely a third-party confirmation would be best.

In all other cases, HW auth is a quicker and more secure (no human involved making social engineering impossible) method.

I have to say that the more I read about Steem and what's happening behind closed doors the more I feel all the more confident that Steem is going to see the success we all feel in our gut in the near future. Welcome early steemers!

Classy post. cool

Good ideas. Thanks for sharing!!!

I love the idea of having friends and family, as well as trusted followers, secure your identity. Mom and Dad will know if I am hacked, for sure. I disagree with the $1000 cost - only if a person has no relatives. Mom should not pay $1000 to declare me hacked.

SIDE NOTE: Why has someone still not found a way to reverse hack? Meaning, why can GOOD hackers not trace breadcrumb trails to EVIL hackers and we throw their asses in jail? Any human who lives off of the suffering of others deserves to be incarcerated, forever. When will we be able to hack the hackers and start awarding bounties and/or vigalante justice? @dan my friend, don't you think a day will come when hackers who attempt to do evil are found and retribution enacted upon them? I rue the day that these scammers meet their karma.

I put no small amount of money in the DAO, and pretty decent priuspel earn, if you are interested please write, gladly will explain a couple of subtleties earnings by DAO

Wow what a post, I am very new to the Blockchain and Crypto in general, so still wrapping my head around it, but so much value in this post. Thank You very much for the great read.

Starting to think you might have given this some thought... ;)

You think that's cool, you should see his BitShares which collateralize Smartcoins.

Great original post. Thanks for your contribution, u right steemit is such a young platform!

Dao is not blockchain. Its a failed experiment

Each successful hack is a step ahead to a more solid crypto-world with a new lesson learnt.

The crypto world is definitely taking baby steps to perfection.

Well, every project one way or another gets hacked. But main important point here is, how community and project handles the hack. Lessons are learned hard way, they don't come easy. Keep up the hard work, guys!

Let's learn lessons so that project/community strength with it.

интересно

The only solution that has been reliable is to use multiple signatures from keys stored on different devices

Hardware wallets have also been reliable, even without multisig. What clearly doesn't work is storing secrets on general purpose devices, and it gets worse as you add more and more complex general-purpose layers, with web applications more or less at the apex of this house of cards.

Brilliant post! I think ultimately though, the key Is the person who controls the keys. With crypto, there Is a beauty In managing your own account. But, all freedom comes with a price. #Education will be very necessary for new users. Thanks-

Using two factor verification process, for example, through SMSes in combination with keys can also make the system more secure. Even if the mobile numbers are compromised and changed, the system can alert the old number through SMS or a verification call in an event of attempted change in the personal details.

Why is it so hard for various crypto related people to accept that "Governance occurs anyway" It's like a child who hides their eyes and relies 'you can't see me if I can't see you'.

Great post as usual Dan! You are so ahead of the curve, and always reactive. It is great to see developers this transparent and dedicated. I had posted about Decentralized Conglomerate Theory here on Steemit a while back, and it discusses a LOT of the things you're talking about.

https://steemit.com/decentralized/@chris-bates/decentralized-conglomerate-the-new-paradigm-of-digital-leadership-emerges

Thanks for all your hard work!

It's great to see that a bigger part of the community is really supporting the platform, and It's also a good thing to see everyone taking action on their online security, if we all do our part, I am sure this will grow into a great comunity

Excellent work here Dan. Social proof of identity is simply brilliant, and necessary in an increasingly tokenized world.

One question: I assume the $1000 posted in the case of a dispute works like a bond in the sense that it is only paid if the dispute was not upheld (ie. the person raising the dispute made a bogus claim)? If the dispute was not rightful, they should lose the whole $1000 but perhaps there is a much smaller admin fee if the dispute was rightful and justice was served? It would suck to lose your keys and then be out $1000 to get them back.

"The key is private" before or after use steemit! Don't lose your key 😀

Blockchain is in its infancy and these hiccups in security are inevitable but necessary steps along the way. Only through mistakes and failure can success occur.