Author Topic: Criteria for selecting delegates  (Read 19955 times)

0 Members and 1 Guest are viewing this topic.

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
Whatever your criteria is - what matters is the criteria of (big) shareholders (: .

Offline puppies

  • Hero Member
  • *****
  • Posts: 1659
    • View Profile
  • BitShares: puppies
Whats the worst thing a malicious delegate could do?  Double sign blocks?  not include transactions?  Change their clock settings to cause others to miss blocks?  Stop producing blocks all together?  Are there worse things that I just don't know about?

All of these things are readily apparent on the blockchain, and can be dealt with if / when they come up.  Isn't the point of DPOS to set the level of centralization at an acceptable point so that no single delegate can do any real harm?

For these reasons I think your criteria #1 and #2 are way overvalued.  In fact I think their only worth is to help us determine if #4 and #5 are met.

My criteria is as follows

#1  Performance. 
Do they double sign blocks?  Do they miss blocks?  Are they including transactions known to be broadcast?  Are they including market transactions that weren't broadcast? 

#2 Are they running more than one delegate
Even in the short term I am opposed to individuals or groups running multiple delegates.  Look what happens when a node running one of these multi delegates goes down.  Long term I think it is even more important that we ensure geographical and political distribution of our delegates.  To prevent both collusion and coercion.

#3 What is their pay rate and have they proven that they deserve it
At this point running a seed node and a delegate server should take up around 50% of fees.  What are you spending your fees on, and how does that benefit me more than them being destroyed?  Can you prove it?

4# Reputation.
Both online and in RL.  Most important, do they have a history of theft, graft, violence, or collusion with violent organizations?  This is not in regards to running a delegate node, I just think its a good idea overall.  There is nothing you could do as a single delegate that would lead me to either call the cops, or come to your house.  Other than in reference to #2 and #3 above.  I don't care who you are.

#5 engagement level.
Are they reading the forum, upgrading on time, and keeping a close eye on their delegate node?  This will all show up in results.  I only mention it because you didn't

#6 Technical ability
This will also be directly measurable in the results.  Incompetent delegates will not last long.

Perhaps I'm in the minority but I think we are over politicizing what should be and in reality is a very simple job.  I think politics is a much greater threat to our ability to stay safe and decentralized than a couple of malicious delegates getting in from time to time.

Let's say theoretically a single attacker or a group of attackers with multiple active delegates collude to take control of the network by performing a coordinated DDOS of other active delegates. Correct me if I'm wrong but if you own ALL active delegates for even a very short consecutive time period (~17 minutes max) you can take over block generation completely and exclude all other active delegates from producing blocks indefinitely by manipulating random number generation. During this short period of time, you could selectively exclude transactions (though TaPOS would presumably prevent you from wholesale shutdown of the network). I'm not even sure it would be possible to vote you out in such a scenario. In fact, the attacker could in theory exclude all transactions that vote their delegates out and continue to include all other transactions to maintain control (and to vote their own delegates up). Not sure about the feasibility of doing this, but if my assumption is correct - mainly the assumption that producing an uninterrupted sequence of 101 blocks can allow you to take complete control of the network - then the results would be pretty disastrous. Even if it were possible to "vote out" these delegates once they are in control, there would be significant damage. If we implement a dependency on median price feeds the situation could be even worse. the attacker could walk away with a MASSIVE amount of money if they were able to control the median feed (there would be little recourse in this situation). These are only the probably flawed and initial thoughts of an amateur. I'm sure there are other attack vectors that we can't foresee right now. The point is, I think this argument about delegates not being able to do anything malicious is the worst worst worst message to convey. If Bitshares became a dominant currency, extremely well-funded and sophisticated attacks would be incentivized and executed by entities with both financial and other motivations. Choose your delegates carefully.

Exposing your realword identity is the single biggest deterrent to doing anything malicious. If you support this flawed assumption that it is "impossible" to do anything malicious then I guess you can worry more about 99.9% uptime vs. 99.85% uptime. But if security is your objective then there is nothing more important than realworld identity. As a delegate, if your pseudonym or online reputation is worth less to you than the potential bounty of an attack then we have no recourse against you. If we know your real identity then you will also think about jail time or worse (a much stronger deterrent).
That's assuming that I'm a u.s. citizen.  I haven't faked my presumed real world identity.  What I have done is considered a crime.  And that it can somehow be traced to my delegate. 

To be honest, a greater deterrent would be the fact that any attack would destroy the currency and thus any profit I could hope to make from it. 

I personally am more concerned about attacks motivated by reasons other than monetary gain (at least on network).  Such as your described ddos attack carried out by an outside actor.  Perhaps to increase the value of their holdings in another currency.

Releasing real world identity helps us ensure that a) there is only 1 delegate per person and b) if they are taking profits they are earning the profits. 

In short I think the largest dangers with delegates are collusion and coercion.  While it's possible that knowing delegates real world identities will help prevent collusion it almost certainly increases our chances of coercion.

If I could be 100% certain that every single delegate was controlled by a unique individual, I wouldn't care if they were all run through tor.  In fact In that case I think it would be better if they were.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline alphaBar

  • Sr. Member
  • ****
  • Posts: 321
    • View Profile
Thanks for responding.  I'm at work right now and don't have time for a thorough response.  In short though, I don't think your attack would work since there is no way to forge votes.  If you went into the attack with five delegates you would come out with five delegates.  It would be destructive, but no more destructive than a ddos attack by an outside actor. 

What we should really be worried about is that with 1.15 billion btsx claimed from genesis less than a third of that is currently voting.  And over half of that is controlled by bm.

It's not about "forging" votes. It's about excluding votes in favor of other delegates when you are in control of block production. If you are the only one voting then you have 100% of the votes. Votes don't count if they don't make it into a block.

Offline alphaBar

  • Sr. Member
  • ****
  • Posts: 321
    • View Profile
Exposing your realword identity is the single biggest deterrent to doing anything malicious. If you support this flawed assumption that it is "impossible" to do anything malicious then I guess you can worry more about 99.9% uptime vs. 99.85% uptime. But if security is your objective then there is nothing more important than realworld identity. As a delegate, if your pseudonym or online reputation is worth less to you than the potential bounty of an attack then we have no recourse against you. If we know your real identity then you will also think about jail time or worse (a much stronger deterrent).

Edit: unnecessary quotes
« Last Edit: August 29, 2014, 01:55:35 am by alphaBar »

Offline puppies

  • Hero Member
  • *****
  • Posts: 1659
    • View Profile
  • BitShares: puppies
P.s.  I also think we should be very careful selecting delegatesI just have different criteria.  I think most of it can be determined on block chain.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline puppies

  • Hero Member
  • *****
  • Posts: 1659
    • View Profile
  • BitShares: puppies
Thanks for responding.  I'm at work right now and don't have time for a thorough response.  In short though, I don't think your attack would work since there is no way to forge votes.  If you went into the attack with five delegates you would come out with five delegates.  It would be destructive, but no more destructive than a ddos attack by an outside actor. 

What we should really be worried about is that with 1.15 billion btsx claimed from genesis less than a third of that is currently voting.  And over half of that is controlled by bm.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline alphaBar

  • Sr. Member
  • ****
  • Posts: 321
    • View Profile
Whats the worst thing a malicious delegate could do?  Double sign blocks?  not include transactions?  Change their clock settings to cause others to miss blocks?  Stop producing blocks all together?  Are there worse things that I just don't know about?

All of these things are readily apparent on the blockchain, and can be dealt with if / when they come up.  Isn't the point of DPOS to set the level of centralization at an acceptable point so that no single delegate can do any real harm?

For these reasons I think your criteria #1 and #2 are way overvalued.  In fact I think their only worth is to help us determine if #4 and #5 are met.

My criteria is as follows

#1  Performance. 
Do they double sign blocks?  Do they miss blocks?  Are they including transactions known to be broadcast?  Are they including market transactions that weren't broadcast? 

#2 Are they running more than one delegate
Even in the short term I am opposed to individuals or groups running multiple delegates.  Look what happens when a node running one of these multi delegates goes down.  Long term I think it is even more important that we ensure geographical and political distribution of our delegates.  To prevent both collusion and coercion.

#3 What is their pay rate and have they proven that they deserve it
At this point running a seed node and a delegate server should take up around 50% of fees.  What are you spending your fees on, and how does that benefit me more than them being destroyed?  Can you prove it?

4# Reputation.
Both online and in RL.  Most important, do they have a history of theft, graft, violence, or collusion with violent organizations?  This is not in regards to running a delegate node, I just think its a good idea overall.  There is nothing you could do as a single delegate that would lead me to either call the cops, or come to your house.  Other than in reference to #2 and #3 above.  I don't care who you are.

#5 engagement level.
Are they reading the forum, upgrading on time, and keeping a close eye on their delegate node?  This will all show up in results.  I only mention it because you didn't

#6 Technical ability
This will also be directly measurable in the results.  Incompetent delegates will not last long.

Perhaps I'm in the minority but I think we are over politicizing what should be and in reality is a very simple job.  I think politics is a much greater threat to our ability to stay safe and decentralized than a couple of malicious delegates getting in from time to time.

Let's say theoretically a single attacker or a group of attackers with multiple active delegates collude to take control of the network by performing a coordinated DDOS of other active delegates. Correct me if I'm wrong but if you own ALL active delegates for even a very short consecutive time period (~17 minutes max) you can take over block generation completely and exclude all other active delegates from producing blocks indefinitely by manipulating random number generation. During this short period of time, you could selectively exclude transactions (though TaPOS would presumably prevent you from wholesale shutdown of the network). I'm not even sure it would be possible to vote you out in such a scenario. In fact, the attacker could in theory exclude all transactions that vote their delegates out and continue to include all other transactions to maintain control (and to vote their own delegates up). Not sure about the feasibility of doing this, but if my assumption is correct - mainly the assumption that producing an uninterrupted sequence of 101 blocks can allow you to take complete control of the network - then the results would be pretty disastrous. Even if it were possible to "vote out" these delegates once they are in control, there would be significant damage. If we implement a dependency on median price feeds the situation could be even worse. the attacker could walk away with a MASSIVE amount of money if they were able to control the median feed (there would be little recourse in this situation). These are only the probably flawed and initial thoughts of an amateur. I'm sure there are other attack vectors that we can't foresee right now. The point is, I think this argument about delegates not being able to do anything malicious is the worst worst worst message to convey. If Bitshares became a dominant currency, extremely well-funded and sophisticated attacks would be incentivized and executed by entities with both financial and other motivations. Choose your delegates carefully.



Offline GaltReport

Whats the worst thing a malicious delegate could do?  Double sign blocks?  not include transactions?  Change their clock settings to cause others to miss blocks?  Stop producing blocks all together?  Are there worse things that I just don't know about?

All of these things are readily apparent on the blockchain, and can be dealt with if / when they come up.  Isn't the point of DPOS to set the level of centralization at an acceptable point so that no single delegate can do any real harm?

For these reasons I think your criteria #1 and #2 are way overvalued.  In fact I think their only worth is to help us determine if #4 and #5 are met.

My criteria is as follows

#1  Performance. 
Do they double sign blocks?  Do they miss blocks?  Are they including transactions known to be broadcast?  Are they including market transactions that weren't broadcast? 

#2 Are they running more than one delegate
Even in the short term I am opposed to individuals or groups running multiple delegates.  Look what happens when a node running one of these multi delegates goes down.  Long term I think it is even more important that we ensure geographical and political distribution of our delegates.  To prevent both collusion and coercion.

#3 What is their pay rate and have they proven that they deserve it
At this point running a seed node and a delegate server should take up around 50% of fees.  What are you spending your fees on, and how does that benefit me more than them being destroyed?  Can you prove it?

4# Reputation.
Both online and in RL.  Most important, do they have a history of theft, graft, violence, or collusion with violent organizations?  This is not in regards to running a delegate node, I just think its a good idea overall.  There is nothing you could do as a single delegate that would lead me to either call the cops, or come to your house.  Other than in reference to #2 and #3 above.  I don't care who you are.

#5 engagement level.
Are they reading the forum, upgrading on time, and keeping a close eye on their delegate node?  This will all show up in results.  I only mention it because you didn't

#6 Technical ability
This will also be directly measurable in the results.  Incompetent delegates will not last long.

Perhaps I'm in the minority but I think we are over politicizing what should be and in reality is a very simple job.  I think politics is a much greater threat to our ability to stay safe and decentralized than a couple of malicious delegates getting in from time to time.

 +5% +5% +5%

Offline puppies

  • Hero Member
  • *****
  • Posts: 1659
    • View Profile
  • BitShares: puppies
Whats the worst thing a malicious delegate could do?  Double sign blocks?  not include transactions?  Change their clock settings to cause others to miss blocks?  Stop producing blocks all together?  Are there worse things that I just don't know about?

All of these things are readily apparent on the blockchain, and can be dealt with if / when they come up.  Isn't the point of DPOS to set the level of centralization at an acceptable point so that no single delegate can do any real harm?

For these reasons I think your criteria #1 and #2 are way overvalued.  In fact I think their only worth is to help us determine if #4 and #5 are met.

My criteria is as follows

#1  Performance. 
Do they double sign blocks?  Do they miss blocks?  Are they including transactions known to be broadcast?  Are they including market transactions that weren't broadcast? 

#2 Are they running more than one delegate
Even in the short term I am opposed to individuals or groups running multiple delegates.  Look what happens when a node running one of these multi delegates goes down.  Long term I think it is even more important that we ensure geographical and political distribution of our delegates.  To prevent both collusion and coercion.

#3 What is their pay rate and have they proven that they deserve it
At this point running a seed node and a delegate server should take up around 50% of fees.  What are you spending your fees on, and how does that benefit me more than them being destroyed?  Can you prove it?

4# Reputation.
Both online and in RL.  Most important, do they have a history of theft, graft, violence, or collusion with violent organizations?  This is not in regards to running a delegate node, I just think its a good idea overall.  There is nothing you could do as a single delegate that would lead me to either call the cops, or come to your house.  Other than in reference to #2 and #3 above.  I don't care who you are.

#5 engagement level.
Are they reading the forum, upgrading on time, and keeping a close eye on their delegate node?  This will all show up in results.  I only mention it because you didn't

#6 Technical ability
This will also be directly measurable in the results.  Incompetent delegates will not last long.

Perhaps I'm in the minority but I think we are over politicizing what should be and in reality is a very simple job.  I think politics is a much greater threat to our ability to stay safe and decentralized than a couple of malicious delegates getting in from time to time.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline alphaBar

  • Sr. Member
  • ****
  • Posts: 321
    • View Profile
Only 1 delegate and info on the signature. This is why I combine charity, lottery and some revenue. I will reveal my identity in time if necessary, but everybody should know me as I have been here for a while, helping when possible.

I decided to maintain only those who have offered to reveal their identity in my original list, since there is no way to verify how many delegates a person is running. That being said, I did vote for you based on your reputation.

Offline liondani

  • Hero Member
  • *****
  • Posts: 3737
  • Inch by inch, play by play
    • View Profile
    • My detailed info
  • BitShares: liondani
  • GitHub: liondani
Only 1 delegate and info on the signature. This is why I combine charity, lottery and some revenue. I will reveal my identity in time if necessary, but everybody should know me as I have been here for a while, helping when possible.
*confirmed*

me2

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Only 1 delegate and info on the signature. This is why I combine charity, lottery and some revenue. I will reveal my identity in time if necessary, but everybody should know me as I have been here for a while, helping when possible.
*confirmed*

Offline betax

  • Hero Member
  • *****
  • Posts: 808
    • View Profile
Only 1 delegate and info on the signature. This is why I combine charity, lottery and some revenue. I will reveal my identity in time if necessary, but everybody should know me as I have been here for a while, helping when possible.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline alphaBar

  • Sr. Member
  • ****
  • Posts: 321
    • View Profile
How do you verify identity?

There are many different forms and degrees of verification. Each person should provide whatever info they are comfortable with and voters can decide if that is sufficient. I've added verification links for each delegate who has provided ID information.

Offline alphaBar

  • Sr. Member
  • ****
  • Posts: 321
    • View Profile
I only run 1 delegate id, and my info see my signature.

If you'd like to reveal your realworld ID to be added to the list please let me know.