Author [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] [EN] [ZH] [ES] [PT] [IT] [DE] [FR] [NL] [TR] [SR] [AR] [RU] Topic: MirrorChain--to solve the security threat during the new DACs distribution  (Read 1452 times)

0 Members and 1 Guest are viewing this topic.

Offline Overthetop


At present,more and more new DACs will come out and use Free distribution promotion strategy.

However ,there are always security threat during the process of importing the private keys of PTS/AGS/BTX ...  to new DACs.

So, I suggest to setup one Mirrorchain by 3i offically to maintain the PTS,AGS etc data.

The mirrorchain has no business function only performs as a data-provider for new DACs.

With the "MirrorChain", we get a firewall between our assets and strange new DACs.

The mirrochain can refresh the data frequently to keep up the new data ,and will always be ready for new DACs distribution.

How about this ?

 :)
« Last Edit: May 27, 2014, 05:38:36 AM by Overthetop »
个人微博账号: Overthetop_万里晴空
“块链创新与创业”交流群: 330378613

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12278
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
So, I suggest to setup one Mirrorchain by 3i offically to maintain the PTS,AGS etc data.
[...]
How about this ?
Decentralized!

You can always diff the official bitshares_toolkit against the new DAC and see for you self what changes they did. If you cannot read code, let others do the work for you!

We might need a trusted compile platform for the binaries
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile
So, I suggest to setup one Mirrorchain by 3i offically to maintain the PTS,AGS etc data.
[...]
How about this ?
Decentralized!

You can always diff the official bitshares_toolkit against the new DAC and see for you self what changes they did. If you cannot read code, let others do the work for you!

We might need a trusted compile platform for the binaries

I don't think everyone would wish to release the source to their DACs.
I speak for myself and only myself.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12278
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
I don't think everyone would wish to release the source to their DACs.
Those probably wont make me to post my angelshare private key into. Not gonna happen!
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline Overthetop

I don't think everyone would wish to release the source to their DACs.
Those probably wont make me to post my angelshare private key into. Not gonna happen!

Even with source code, I do not think it is safe enough .

Because more and more Dacs are coming out and they  become more and more complex .

So it is not easy to review each of them clean or not  .
« Last Edit: June 03, 2014, 06:12:19 AM by Overthetop »
个人微博账号: Overthetop_万里晴空
“块链创新与创业”交流群: 330378613

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12278
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
To me that sounds like a business opportunity, checking DAC sources :-)
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline Overthetop

To me that sounds like a business opportunity, checking DAC sources :-)
Yeah ,sure.

You deserve it ,and maybe one day we can have a deal.

 :P
个人微博账号: Overthetop_万里晴空
“块链创新与创业”交流群: 330378613

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12278
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Oh .. i am afraid my capabilities in reading and securing code are somewhat limited
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline gamey

  • Hero Member
  • *****
  • Posts: 2253
    • View Profile


I am a bit skeptical that the more profitable DACs would release their source and allow their whole business to be instantly cloned. 

Really the only solution will be a hot/cold wallet as far as I can see.
I speak for myself and only myself.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12278
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Maybe we can use some ellyptic curve magic to solve the issue ... much like what TITAN does?
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline toast

I am a bit skeptical that the more profitable DACs would release their source and allow their whole business to be instantly cloned. 

I see you are not familiar with Stan's classic "10 laws" post:

Quote
So here is our list of the rather obvious Ten Natural Laws of the Crypto-Asset Universe.  All wise developers should be aware of these unspoken rules of competition and plot their private business strategies accordingly:

1.   All software must be open source to be trusted.
2.   It is ethically acceptable to clone alt-coins from anybody else’s open source.
3.   If you demonstrate a good idea, others will clone it – without market objection.
4.   They will clone it if just to give it a better name.
5.   They will clone it to slightly modify one of its parameters.
6.   They will clone it to better appeal to another group of stakeholders.
7.   They will clone it to make it more profitable (and therefore more appealing).
8.   These clones will compete in the free market.
9.   The clone that appeals to the biggest and most influential crowd wins.
10.   The clone that achieves the Network Effect first may ultimately get to ignore the first 9 rules.
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline bytemaster

Maybe we can use some ellyptic curve magic to solve the issue ... much like what TITAN does?

The problem is that without the actual public key of the account holder you cannot do any operation other than signature verification and that requires the private key. 

If we had the public key for every address in the snapshot then it would be possible to separate out the tool that imports the private keys for each chain from the chain itself. 

I think the way we can get around this is to have a separate 'trusted' process that can sign arbitrary data for a new chain.  This process would report to the new DAC all of the addresses it can sign for.

This way the new DAC never sees your private key, but can still use it for signing transactions *FOR THAT DAC ONLY*. 

 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12278
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Maybe we can use some ellyptic curve magic to solve the issue ... much like what TITAN does?
The problem is that without the actual public key of the account holder you cannot do any operation other than signature verification and that requires the private key. 

If we had the public key for every address in the snapshot then it would be possible to separate out the tool that imports the private keys for each chain from the chain itself. 

I think the way we can get around this is to have a separate 'trusted' process that can sign arbitrary data for a new chain.  This process would report to the new DAC all of the addresses it can sign for.

This way the new DAC never sees your private key, but can still use it for signing transactions *FOR THAT DAC ONLY*. 
I dont understand much of the ECC magic but couldn't we go for a hybrid, such that if the pubkeys is known we can do ECC magic .. if not the owner needs to work on the actual privkey ..

we could then update the pubkeys for new DACS on a regular bases using most recent blockchain (assuming no one really can break ripmed150(sha256(pubkey)))

Just asking
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

Offline FreeTrade

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 700
    • View Profile
Might be possible to have the PTS client sign the first transaction to release funds from the genesis block.

Steps:
1: Enter public key into new DAC client
2: New DAC client creates unsigned transaction
3: PTS/Trusted client signs transaction
4: Signed transaction posted into new DAC client
“People should be more sophisticated? How are you gonna get that done?” - Jerry Seinfeld reply to Bill Maher

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12278
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BTS: xeroc
  • GitHub: xeroc
Steps:
1: Enter public key into new DAC client
2: New DAC client creates unsigned transaction
3: PTS/Trusted client signs transaction
4: Signed transaction posted into new DAC client
That sounds VERY nice! Also PTS wallet should already be installed by most investors!

+5% for this approach!!!
Give BitShares a try! Use the http://testnet.bitshares.eu provided by http://bitshares.eu powered by ChainSquad GmbH

 

Google+