0 Members and 1 Guest are viewing this topic.
Quote from: AdamBLevine on August 19, 2014, 02:08:31 pmAny exemption is an invitation to use that exemption, and it will get wider over time as the people who built the system stop being the ones who make these decisions and it becomes about "what are you going to give me right now" since there are people (and not too many) who have the power to do this stuff.Exactly this. Again, the road to hell is paved with good intentions and people over a long enough period are short sighted and opportunistic.
Any exemption is an invitation to use that exemption, and it will get wider over time as the people who built the system stop being the ones who make these decisions and it becomes about "what are you going to give me right now" since there are people (and not too many) who have the power to do this stuff.
Rather than focusing on an internal process for mitigation, we could (and probably should) just establish standard minimum security requirements for all exchanges that trade BTSX (x% cold storage, two-factor authentication, etc).
There needs to be a notification system, maybe by email, so delegates know there is a time sensitive vote coming up..
Quote from: AdamBLevine on August 19, 2014, 01:01:59 amQuote from: Empirical1 on August 19, 2014, 12:19:12 amFor me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus. In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT. This is *exactly* the problem actually. If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid. If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".It's concerning more people don't see this intractable issue.What about in the scenario of police confiscation? Could the network agree to burn in this instance?One way to do it would be if the previous owner elects to enable the network to burn in the instanced of confiscation. Currently technology doesn't allow proof of event or a sure way to confirm police confiscation.But in the case that it did happen then the original owner gains nothing by electing to give the network the power to burn his stash. In the end though it's too complicated to be worrying about this right now. It creates unnecessary confusion. It's like trying to have a dynamically generated digital constitution when we don't even have a fully functioning static digital constitution. For today let the rules be the rules because that is what works best. If the black swan event occurs then we can react to it then and it will not be so difficult to discuss and decide what to do. If governments confiscated over 51% of Bitshares it's pretty obvious to me that there would be a rollback.Just like if the Bitcoin community discovered that the government somehow owned most of it's coins they would have to do something if mining/Proof of Work cannot generate new coins. They rely on Proof of Work to allow themselves to have static rules. The FBI can confiscate a lot of coins and even be the largest address but because new coins are always being created it's not like the FBI could ever get 51% of the hashing power even if they had 51% of the coins.Proof of Stake is different. If the government got 51% of the stake then DPoS would be owned by the government. In that instance we might want to hit the panic button if we saw that kind of takeover attempt.Quote from: bytemaster on August 19, 2014, 01:18:47 amHard rule of no rewrites has least moral hazard. Sent from my iPhone using TapatalkThe only black swan event which I could think of to justify burning a stash is a scenario where governments around the world start raiding and confiscating in unison. At that point it would be clear that it's an attempt to own Bitshares.But even with these attacks the people who have escaped from confiscation along with the delegates can fight back. I think this black swan event is actually very likely to happen because it has happened with Bitcoin.There shouldn't be rewrites but it might be possible to invalidate and burn a stash. The problem is to build this in right now creates risks and there is no evidence of the black swan event just yet. It could be that enough governments embrace it that its seen as just another technology, we just don't know yet.
Quote from: Empirical1 on August 19, 2014, 12:19:12 amFor me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus. In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT. This is *exactly* the problem actually. If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid. If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".It's concerning more people don't see this intractable issue.
For me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus. In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT.
Hard rule of no rewrites has least moral hazard. Sent from my iPhone using Tapatalk
Quote from: bitcoinerS on August 19, 2014, 11:42:56 am24 hour response time from majority of delegates may prove unrealistic.Why so? Their duty is to secure the network and be reachable .. that's what they get paid for ..it's not like mining where you can through your miners at a pool and keep doing whatever comes.as a delegate you have responsibility!
24 hour response time from majority of delegates may prove unrealistic.
Quote from: bitcoinerS on August 19, 2014, 11:42:56 amQuote from: bytemaster on August 19, 2014, 04:57:41 am4) Must happen quickly, ie: not effect balances over 24 hours old.24 hour response time from majority of delegates may prove unrealistic.Delegates have responsibility and they should make sure they can react. Behind delegates are real people. They should be reachable - phone, email, IM etc.
Quote from: bytemaster on August 19, 2014, 04:57:41 am4) Must happen quickly, ie: not effect balances over 24 hours old.24 hour response time from majority of delegates may prove unrealistic.
4) Must happen quickly, ie: not effect balances over 24 hours old.
The point of making it "hard" to do is that it means it is less likely to happen. People need to know that it is "hard" so they can trust the system. In my original idea I probably didn't make it clear enough that:1) Only a delegate could make the proposal 2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders 3) Majority of delegates must approve4) Must happen quickly, ie: not effect balances over 24 hours old.A hard fork costs a network millions and those millions will be paid if it will save the network 10's of millions. The presence of such an automated system means that the network can "capture" the millions a hard-fork would have caused. Because the fee is so expensive, no one would dare cry wolf or use this option lightly. Because the fee is non-refundable even if the delegates vote "no" then it is not likely to be paid unless there is already support/consensus. But perhaps most importantly, the fact that a procedure exists means that suggestions to hard-fork to bypass the pre-established procedure will be roundly rejected. I think you have to view these thinks like pressurized systems, if you don't provide a release valve then they can explode under heat. I think that the community should establish some very sound guidelines prior to the event that server to minimize moral hazard:1) An exchange that didn't use cold storage... is ineligible2) Failure to use multi-sig... 3) .... All of that said, with BitUSD there is almost no reason to keep your funds on exchanges any more. So perhaps a VERY HARD policy on this would be best.
Quote from: bytemaster on August 19, 2014, 04:57:41 am2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders Would it not incentivize delegates to vote no and keep $1m in fees?
2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders
The point of making it "hard" to do is that it means it is less likely to happen. People need to know that it is "hard" so they can trust the system. In my original idea I probably didn't make it clear enough that:1) Only a delegate could make the proposal 2) The act of making the proposal must come with a non-refundable fee of large magnitude ($1 million) that is paid to shareholders 3) Majority of delegates must approve4) Must happen quickly, ie: not effect balances over 24 hours old.
But perhaps most importantly, the fact that a procedure exists means that suggestions to hard-fork to bypass the pre-established procedure will be roundly rejected.
hink you have to view these thinks like pressurized systems, if you don't provide a release valve then they can explode under heat.
Hard rule of no rewrites has least moral hazard.
Quote from: AdamBLevine on August 19, 2014, 01:01:59 amQuote from: Empirical1 on August 19, 2014, 12:19:12 amFor me it's a question of whether you can design a system that gives shareholders confidence these actions will only be taken in the big cases & when there is a definite clear consensus. In every other system the answer is no, because you don't have the ability to provide that confidence. So I would not be in favour of a rollback for NXT. This is *exactly* the problem actually. If the rollback is only used in big cases, it means that it is safe to be part of a very popular NXT failure but not part of a small one (Because it won't be serious enough to be rolled back) - This will have a very centralizing effect where if you're going to be part of an exchange, well it better be the biggest exchange because otherwise people will say "Well it's not so bad, it wasn't the biggest exchange so we'll survive this". The rules need to be the rules, if you create conditions under which the rules and history itself can be re-written you will be inviting those who want to reinvent history to create exactly the conditions you are trying to avoid. If it was not desirable to rewrite history such a mechanism could work, but because there are many ways individuals and groups and profit from rewriting history it's a very bad thing to codify in a way that is "OK".It's concerning more people don't see this intractable issue.We don't have to reward too big to fail. We could tax bter or burn all of it. I just don't want the hacker walking round with 50 million he can dump on the share price at any time.
Then as soon as the hard rule is formalized, some south African cartel kidnaps the ByteMaster and demands that half of all bit shares be sent to a certain address, within 12 hours, or they terminate him.
Quote from: Riverhead on August 19, 2014, 01:31:20 amMy views on this are pretty straight forward. Basically the road to hell is paved with good intentions.Some basic tenants of my stance:1) A blockchain is first and foremost a ledger. It is an immutable record of transaction that happened (just or unjust). We shouldn't play time traveler with the ledger.2) For lack of a more elegant way to state it: people over a long enough period of time suck.That said other precautions can be taken in the event of what happened with NXT. Thefts happen. There going to keep happening. What is up to us to figure out is how to mitigate the financial damages to those stolen from. This is what insurance is for.So far not a single theft has been the fault of the protocol itself, certainly not in the case of NXT. Therefore if people want to protect themselves from such events they can start an insurance DAC, be more proactive about how they secure their wealth, etc.Bottom line: The A in DAC stands for Autonomous for a reason. People basically suck over a long enough period of time. Good intentions are abused by bad actors.No roll backs. Ever. We are not time travelers.You still haven't addressed the scenario of governments being the thief. They have confiscated people's gold in the past so it is very possible.Suppose your government confiscated your stash of Bitshares using legal force? Is there anything you or the protocol could do?
My views on this are pretty straight forward. Basically the road to hell is paved with good intentions.Some basic tenants of my stance:1) A blockchain is first and foremost a ledger. It is an immutable record of transaction that happened (just or unjust). We shouldn't play time traveler with the ledger.2) For lack of a more elegant way to state it: people over a long enough period of time suck.That said other precautions can be taken in the event of what happened with NXT. Thefts happen. There going to keep happening. What is up to us to figure out is how to mitigate the financial damages to those stolen from. This is what insurance is for.So far not a single theft has been the fault of the protocol itself, certainly not in the case of NXT. Therefore if people want to protect themselves from such events they can start an insurance DAC, be more proactive about how they secure their wealth, etc.Bottom line: The A in DAC stands for Autonomous for a reason. People basically suck over a long enough period of time. Good intentions are abused by bad actors.No roll backs. Ever. We are not time travelers.
Quote from: lucky331 on August 18, 2014, 10:28:48 pmdo what Nxt did and keep the integrity of the project intact.If you promise that you will play CobaltSkky [edit] I doubt it but if somebody is not aware, here is a good summary : http://www.enterstageright.com/archive/articles/0814/cryptocurrpbterjob.htm
do what Nxt did and keep the integrity of the project intact.
if it is possible to implement via a hard fork and there are cases where people would choose to hard fork, then perhaps we should formalize the process and prevent the hardfork and overall disruption.
Delegates could freeze any balance (as long as 51% decide this). They could just ignore blocks with transactions from selected addresses and not include such transactions in produced blocks. So I see the procedure like this:1 An extreme case arises2 A delegate proposes action and starts a vote (If no delegate is willing to start a vote => the case is not that extreme)3 24 hours (or more?) period for delegate voting4 If a decision is made (with 50%+1 votes) all delegates should comply (note that this cannot be enforced). I strongly believe no transfers should be allowed by this method. Funds should be only frozen/burned.
I think multisig and personal responsibility solve these problems about as well as they're likely to be solved. Give people relatively user friendly tools for security, and make sure they know that it's their responsibility and no one else is likely to bail them out if they mess up.Creating or advertising additional convoluted ways to "steal back" stolen funds just increases the number of attack vectors to include more social engineering attacks exploiting the anti-theft mechanisms. I generally expect the human element to be the the most vulnerable aspect of most systems already, and this makes it worse.
Also - Is it even possible to trace funds if the thief creates a 2nd wallet. Owner -> thief wallet #1 -> thief wallet #2 ? Can we even detect that because of TITAN or is it necessary to do a full rollback ?
QuoteHmmm... this might be a dumb idea but...What if there was a process in place where users could vote to burn stolen BTSX or automatically transfer stolen BTSX to an insurance account? If 51% consensus is reached, the registered account could be flagged and any BTSX sent from the account would be automatically redirected into the insurance fund. In the event that the flagged account tries to distribute the stolen funds to other accounts, the other accounts could also flagged and fined based on the transaction amount.I was thinking of something similar. For example if funds are stolen then these are burned as dividends or keep them in an insurance account.But you cannot flag the account and the accounts that the stolen funds are redirected since the thief can start sending funds to everyone in order to further mess up with all the accounts and we end up hurting ourselves.I am not in favor of a rollback either. what if in the meantime I make a huge deal with someone in bitusd and then we have a rollback and the other party realises that the deal he has done is not in his favor? we will lose credibility in case of rollback and no serious business is going to accept this if there is this possibility of an "undo" button.. I think NXT got really away because they didn't do the rollback. I believe that if they had done so they would in vericoin's position now.I don't understand very much how these things work, but in case of a theft and if there is very good proof that this is actually a theft and delegates vote 70% that this is a theft can't we just freeze these money completely and decide later how to proceed? i.e could be burned as dividends, could be sent to a charity, could be used as insurance fund, or we just find the hacker and make him return the funds?
Hmmm... this might be a dumb idea but...What if there was a process in place where users could vote to burn stolen BTSX or automatically transfer stolen BTSX to an insurance account? If 51% consensus is reached, the registered account could be flagged and any BTSX sent from the account would be automatically redirected into the insurance fund. In the event that the flagged account tries to distribute the stolen funds to other accounts, the other accounts could also flagged and fined based on the transaction amount.
Quote from: gamey on August 18, 2014, 10:12:29 pmI think if you are going to attempt to proactively address the issue then a "frozen funds account" would be best. An account where funds can be frozen by 51% majority and unfrozen later. People complain all day about this being abused, but it can always be done by 51% regardless of whether it is proactively supported.This ... together with the 5% inactivity fee sounds extremly selfish .. wouldn't advice to do so
I think if you are going to attempt to proactively address the issue then a "frozen funds account" would be best. An account where funds can be frozen by 51% majority and unfrozen later. People complain all day about this being abused, but it can always be done by 51% regardless of whether it is proactively supported.
Step 5) The amount in question must be greater than X% of the shares, and the fee should be very high.
Key is competition... there can be many competing BTSX chains... you can sell shares in one and move to another with smarter owners.
We have the power to elect Congressman and they have the power to bailout. How did that work for us?
Quote from: BldSwtTrs on August 18, 2014, 09:01:49 pmWhat would prevent a government to pay delegates to retrieve funds identified as tax evaders' possession?Their is always the option to hard-fork if delegates are corrupted in such a manner. Delegates can be voted out as well. Also, the amount in question must be above a certain threshold before it can even be considered. Ie: a government couldn't bribe delegates to go after the little guys.
What would prevent a government to pay delegates to retrieve funds identified as tax evaders' possession?
There comes a point in every crypto-currency's life where a major hack threatens the health of the system. It is always possible for major stakeholders (miners) to hard-fork in order to correct the problem, but hard-forks are messy and ugly. The options for a network are:a) never reverse transactions, to hell with the share price b) permit bailouts with consensus If the BTSX on BTER had been stolen, what would we do? It would certainly be within our power to reverse it with a single update pushed to the delegates. It could potentially "fork" the network if the delegates disagreed with the process.Given that forks are "difficulty but possible" it sets a certain threshold that must be reached before it would be considered. I think that it may be best to recognize that sometimes a network needs to come to consensus about this stuff and design it in ahead of time so that there are no hard forks. Fortunately we have delegates and thus we can design a process something like this:Step 1) Pay a large fee to propose reallocating funds from a set of addresses to a new set of addresses. Step 2) Delegates have 48 hours to approve the reallocation during which time the funds are frozen. Step 3) Require 51% of the delegates to approve it.Step 4) Like the pay-rate, delegates can campaign on a platform of always voting NO and this campaign promise can be enforced.Step 5) The amount in question must be greater than X% of the shares, and the fee should be very high.Potential Problems:1) Someone could attempt to "bribe the delegates" by proposing a massive reallocation to the delegates as part of approving the process.... a) someone could also do this to bribe miners, forgers, etc to mine on the fork Bottom line is this: if it is possible to implement via a hard fork and there are cases where people would choose to hard fork, then perhaps we should formalize the process and prevent the hardfork and overall disruption. The mere presence of such recourse is likely to prevent many large thefts in the first place.Thoughts?
Wanted to ask the same question ever since the incident happened:If the BTSX on BTER had been stolen, what would we do?Would you have offered (the software for a fork) and would you have expressed opinion for/ against fork?After all the rumor is NXT was as exposed, as probably BTSX and other coins on bter.