Author Topic: Breaking Bitshares: The Wargame  (Read 2465 times)

0 Members and 1 Guest are viewing this topic.

Offline matle85

  • Full Member
  • ***
  • Posts: 148
    • View Profile
As a bitshares supporter I do not like the constant trail of uncertainty and paranoia strewn about.

Open ledger's DNS was hacked, for a while, and no one cared about security. But here now you post as if security is a major concern.

What is the procedure to resolve a breach, beyond calling BM? That info would be beneficial to the community.

And no one named Kristen works with me on Spark. Yo must be talking about bitspark.

Yep sorry Bitspark, SparkDex, Zeph etc - I hadn't realised there is another Spark project. Any link so I can educate myself?

Offline spark

As a bitshares supporter I do not like the constant trail of uncertainty and paranoia strewn about.

Open ledger's DNS was hacked, for a while, and no one cared about security. But here now you post as if security is a major concern.

What is the procedure to resolve a breach, beyond calling BM? That info would be beneficial to the community.

And no one named Kristen works with me on Spark. Yo must be talking about bitspark.







Offline matle85

  • Full Member
  • ***
  • Posts: 148
    • View Profile
Although I was concerned about seeing this topic in public, and introduced by a total newbie to the forum, I commented. Not adding ideas to how to break the system as much as what we should be weary of.

Nevertheless, I don't believe such vulnerabilities should be discussed in public. I have thus suggested that this thread / topic be removed.

Although significant improvements can and should be made to provide a trusted way to discuss these things, it should not be public for obvious reasons, and should not allow anonymous newbies, no matter how well intentioned, to participate. Trust must be earned, and that come from being known, and that takes observation of person's actions and words over a period of time. Instantaneous trust is worthless.

I suggested keybase as a secure app we could use for secure, private comminications. Most of the devs are already on keybase, as are some witnessses, includning myself.

No objection to it being removed from my side - suggest it would be good to continue in another channel though.

And for info I thought the same but it's Kristen from Spark who posted originally, he's just not on the forum much.

Offline iamredbar

Nevertheless, I don't believe such vulnerabilities should be discussed in public. I have thus suggested that this thread / topic be removed.

After thinking about this more, I agree with you.

Offline Thom

Although I was concerned about seeing this topic in public, and introduced by a total newbie to the forum, I commented. Not adding ideas to how to break the system as much as what we should be weary of.

Nevertheless, I don't believe such vulnerabilities should be discussed in public. I have thus suggested that this thread / topic be removed.

Although significant improvements can and should be made to provide a trusted way to discuss these things, it should not be public for obvious reasons, and should not allow anonymous newbies, no matter how well intentioned, to participate. Trust must be earned, and that come from being known, and that takes observation of person's actions and words over a period of time. Instantaneous trust is worthless.

I suggested keybase as a secure app we could use for secure, private comminications. Most of the devs are already on keybase, as are some witnessses, includning myself.
Injustice anywhere is a threat to justice everywhere - MLK |  Verbaltech2 Witness Reports: https://bitsharestalk.org/index.php/topic,23902.0.html

Offline matle85

  • Full Member
  • ***
  • Posts: 148
    • View Profile
7) Seize control through purchase / seizure of BTS or manipulation / bullying of holders to proxy.

I've added the above following Thom's point. This is an interesting one as it wouldnt have to be an individual / group of individuals. If we have more adoption and more CEX's holding significant BTS then conceivably they could be compelled to act. Just look at how big a voter Binance are on their own.


Offline Thom

6) Launch spam/scam versions of it to undermine confidence and create general feeling it's a scam.

This would be the most detrimental one for BitShares IMO. Right now BitShares is sitting solid as far as functionality goes, but what BitShares doesn’t have is a good marketing. If something malicious was to appear, how would the community know? It would take people getting scammed to realize we have a problem, then we are reacting instead of being proactive.

How would we know... that's a difficult question to answer b/c it requires psychological scrutiny and sensitivity to detect the usually subtle signs of sociopathy or psycopathy.

At least one hostile takeover has been attempted in this community and the community response was not good at all IMO. Most people were afraid to side with one party or the the other, and it reminded me of the old excuse, "I don't want to get involved", and the oft quoted, "All it takes for evil to triumph is for good men to do nothing".

I see several aspects of BitShares governance that have weakened decentralization and increased the chances of manipulation by those with a a personal agenda which is contrary to the well being of the ecosytem. I don't believe any community or project can succeed if the people that comprise it aren't willing to take responsibility for it. This community is a reflection of the attitudes and character of society at large, no longer of the team that created it. Thus we see actions taken outside of consensus and pushing agendas contrary to [some] of the values held by the original devs / creators, with no regard to the reasons and rationale those values were established for. I see it in many crypto projects, the shift away from the original core principles and attitudes that led to the creation of blockchain technology in the first place.

Also keep in mind one of the fundamental flaws in any POS based consensus algo, including DPOS. All it takes is enough money and you can buy your influence. Actually you could gain major influence simply by using persuasion to convince enough shareholders to proxy to you. It wouldn't be easy for a normal person but for a "talented" and practiced psychopath I think it would be quite possible.

Injustice anywhere is a threat to justice everywhere - MLK |  Verbaltech2 Witness Reports: https://bitsharestalk.org/index.php/topic,23902.0.html

Offline iamredbar

6) Launch spam/scam versions of it to undermine confidence and create general feeling it's a scam.

This would be the most detrimental one for BitShares IMO. Right now BitShares is sitting solid as far as functionality goes, but what BitShares doesn’t have is a good marketing. If something malicious was to appear, how would the community know? It would take people getting scammed to realize we have a problem, then we are reacting instead of being proactive.

Offline matle85

  • Full Member
  • ***
  • Posts: 148
    • View Profile
Great idea Kristen.

I'll have a proper think but initially:
1) Spread fear and FUD about decentralised exchanges (underway) to throttle interest, the price etc.
2) Block access by taking down the website or restricting access to it.
3) Go after committee members or witnesses (charges, court orders, seizures).
4) Go after users (as above).
5) Try and clog up the network (seems doomed to fail).
6) Launch spam/scam versions of it to undermine confidence and create general feeling it's a scam.
7) Seize control through purchase / seizure of BTS or manipulation / bullying of holders to proxy (added following Thom's post)

I think 1) with some high profile 3) or 4) is most likely.

« Last Edit: November 11, 2018, 07:18:04 am by matle85 »

SubstantialAnything

  • Guest
Hey all,

Not sure if this has been done before, but wanted to make a space for everyone to share any ideas on how bitshares could be broken. It's more relevant now that we know regulators in the US are focusing on DEX's: https://www.forbes.com/sites/michaeldelcastillo/2018/11/09/new-sec-cyber-chief-puts-cryptocurrency-exchanges-on-notice/

I doubt their ability to actually do anything, but it does bear the question: how would someone break bitshares if they really wanted to? We have an active worker going for the bug bounties and hacking the DEX, but I am thinking more broadly, beyond technical exploits.

I'd love to hear your thoughts on: 

- What do you think is the most effective way to attack bitshares? Ideal preventions?
- Does an attack need to be permanent in it's effect or only temporary to have the desired result?
- What are the circumstances that lead to it happening? 
- How do we define an attack? Is it as simple as anything which directly interferes with the integrity of the blockchain itself, or does it expand to include alterations/extensions of core functionality that have the effect of damaging the effectiveness of bitshares overall? 

As a community, what gaps do we have that we need to fill, and are there any courses of action we can do to get ahead?

And yes I am aware if we write everything here it effectively becomes the Anarchist's Cookbook of taking down BTS. But I don't think anyone's watching ;-)