IOTA has been notoriously famous for rolling their own flawed hash function which allowed researches to develop a working PoC for hash collision attacks.
Why in the world would they design a custom hash function?! How amateurish. As Bruce Scneier said:
> In 2017, leaving your crypto algorithm vulnerable to differential cryptanalysis is a rookie mistake. It says that no one of any calibre analyzed their system, and that the odds that their fix makes the system secure is low — Bruce Schneier (about IOTA)
OK, it looks like the answer is they designed a custom hash function because their system is built with ternary logic (?!?):
... because "Ternary is the optimal radix" according to their cofounder:
> Ternary is the optimal radix, actually Base E (2.71....) is, but you can't make processors like that. So it comes down to Base Binary (2) vs Base Ternary (3). 3 is closer to the universal optimum 2.71 than is 2. That is the absolute most simple elevator pitch for ternary.
Reading about the design of this system, I feel like I just entered the twilight zone, or maybe the website for Time Cube. Urbit makes more sense than this. (The design of Urbit makes fine sense, it's just the implementation is extremely obscure.)
Plus, if e is in fact the optimal radix, then there's no way to say that 3 is "more optimal" than 2. That's making all kinds of assumptions about the optimality curve. Assuming such a curve even exists...
> if you can't even be bothered to read 2 minutes about it and make such a mistake, that is entirely on you.
..
> It's covered in GUI FAQ, take time to read.
- /u/DavidSonstebo (CEO of IOTA)
Wow.
Anyone who has ever built software knows that users rarely read FAQs (maybe 1-5%). Anyone who's ever made ANY product/service/contract knows most users don't read the fine print.
I'm not sure if he's one of those hardcore backend guys who are oblivious to how humans use software, or maybe a bit autistic in his expectations of other people's capabilities/worldview, or is highly arrogant (rolling your own crypto fits this category well), or simply doesn't care because "everyone else is just not as smart as me". But regardless of the whys, that's simply no excuse in 2018 for pushing out very serious software, with real users, and significant time/money being potentially lost due to a complete disregard for real-life UX/UI.
> IOTA was made for machines, not humans.
This is no excuse either, it's a predictable expectation that new users will come in with their own preconceived understanding of how cryptocurrencies work - informed by how nearly every other currency works. So if your currency functions significantly different it's on the creator to communicate those differences clearly to the users.
"Anyone who has ever built software knows that users rarely read FAQs (maybe 1-5%). Anyone who's ever made ANY product/service/contract knows most users don't read the fine print."
Expecting tools to work without reading the manual reminds me of
"Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?" In one case a member of the Upper, and in the other a member of the Lower, House put this question. I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."
If the user WON'T read the FAQ, then the FAQ shouldn't exist. So how to educate an illiterate user?
If you read the article you would see it's about IOTA.
More importantly, IOTA never implemented seed generation into their native client software. With this being THE central function to their entire platform, one has to question the priorities and motives of the team behind this project.
When coupled with the comments by the CEO, one has to ask if the negligence is so absurdly severe it's malicious?
I read the article. It's a technical overview of a website designed to scam users. It doesn't reflect in any way that IOTA as a tech is insecure. Your claims are not related in any way to the contents of the article, are overreaching and biased. The allegations you've mentioned have been debunked [1]. Seed is basically a password so it's understandable it's not generated by the client software but many tutorials exist on how to create a secure one [2][3].
IOTA designers decided to leave out the seed generation function of their software, which predictably let 3rd parties like the one in the article create a malicious seed to exploit the platform.
Every other cryptocurrency software can facilitate wallet generation seeds natively, why does IOTA refuse to implement it?
On Friday, MIT Technology Review published an article on
the cryptocurrency IOTA. The headline stated that the
currency “could outperform Bitcoin.” However, we here at
the MIT Media Lab have issues with the story.
Specifically, my colleagues in the Digital Currency
Initiative (DCI) recently uncovered a gaping hole in
IOTA’s software. And while that flaw has now been patched,
we certainly disagree with reporter Michael Orcutt’s
assertion that IOTA is “secure.” As the Director of the
MIT Media Lab, I felt it important we outline our specific
concerns.
— Joi*
Quote One:
“The rally began in late November, after the IOTA
Foundation, the German nonprofit behind the novel
cryptocurrency, announced that it was teaming up with
several major technology firms to develop a ‘decentralized
data marketplace.’” The article goes on to say: “And the
high-profile names participating in its data market pilot—
including Microsoft, Deutsche Telekom, and Fujitsu—suggest
IOTA is onto something.”
Response One:
IOTA’s relationships with top-tier companies continue to
be nebulous.
In the Technology Review article, Orcutt linked to a
November 28, 2017 blog post from IOTA that gave the
perception that Microsoft was a partner in the
marketplace. However, after a flurry of media reports
making this claim, IOTA corrected their relationship
status with top-tier companies like Microsoft, Cisco, and
Huawei in a blog post dated December 16. That the MIT Tech
Review story links to IOTA’s initial blog post instead of
the later version is misleading.
Quote Two:
Though IOTA tokens can be used like any other
cryptocurrency, the protocol was designed specifically for
use on connected devices, says cofounder David Sønstebø.
Organizations collect huge amounts of data from these
gadgets, from weather tracking systems to sensors that
monitor the performance of industrial machinery (a.k.a.
the Internet of things). But nearly all of that
information is wasted, sitting in siloed databases and not
making money for its owners, says Sønstebø.
IOTA’s system can address this in two ways, he says.
First, it can assure the integrity of this data by
securing it in a tamper-proof decentralized ledger.
Response Two:
Whether or not IOTA’s ledger is “tamper-proof,” the entire
IOTA network went down in November, and was completely
inoperable for about three days. That this has never
happened in Bitcoin or Ethereum suggests the extent to
which the IOTA network relies on the “coordinator”—a
single point of failure—and is not truly decentralized.
Also troubling, IOTA developers were able to transfer
funds out of users’ IOTA accounts. The user was then
required to participate in a “reclaim” process to request
their funds. We believe IOTA’s developers should not have
access to such funds; it’s rife with risk.
Quote Three:
Second, it enables fee-less transactions between the
owners of the data and anyone who wants to buy it—and
there are plenty of companies that want to get their hands
on data.
Now, here’s where things get really interesting. Instead
of a blockchain, IOTA uses a “tangle,” which is based on a
mathematical concept called a directed acyclic graph.
Sønstebø says his team pursued an alternative approach
after deciding that blockchains are too costly—it has
recently cost as much as $20 per Bitcoin transaction
because of high demand—and inefficient to operate at the
scale required for the Internet of things.
Response Three:
Orcutt’s claim that IOTA is free of fees is misleading.
Though perhaps not immediately obvious, IOTA transactions
are "zero fee" in exactly the same way that Bitcoin
transactions are. An important difference is that Bitcoin
has miners who can perform the proof of work for you,
while IOTA users do the proof of work on their own
devices, per transaction. However, a Bitcoin user can also
mine their own block to get their transactions accepted
into the blockchain without paying fees. To put it another
way, most people wouldn’t be interested in buying a
refrigerator operated by a hand crank, even if the
advertisement said “No electricity required!”
It’s true that transactions with Bitcoin and other digital
currencies, even when amortized over a block with
thousands of other transactions, require much more work
than transactions in IOTA. However, the claim is not that
IOTA transactions are easier—the claim appears to be that
IOTA transactions are free.
Semantics aside, this claim, which appears in IOTA
marketing materials, is deceptive; the work required is a
fee, whether or not it requires a monetary payment.
Restricting the ways in which the fee can be
paid—requiring that the work be done on a user’s own
device—doesn’t make it go away.
Quote Four:
“In August, researchers from MIT and Boston University
reported that they discovered a “serious vulnerability” in
a novel cryptographic technique IOTA was using. IOTA has
patched the vulnerability, and Sønstebø says that security
measures in place would have prevented anyone from losing
funds. The foundation has hired a third-party firm to help
it continue to develop the technique, which Sønstebø says
represents the kind of “lightweight cryptography” needed
for low-power connected devices, like sensors.”
Response Four:
Once the Digital Currency Initiative published the break
in IOTA’s curl hash function, its author, Sergey
Ivancheglo, offered two conflicting explanations for the
vulnerability.
The first explanation was that the flaw was
intentional—that it was meant to serve as a form of “copy
protection.” If anyone used this code in their own work,
he said, the IOTA developers would be able to exploit the
flaw and damage other systems that were using the hash
function. However, later, he offered a conflicting
explanation that he didn’t write the curl at all, but that
an AI wrote it.
We do not find either of these explanations convincing,
even in isolation. That they contradict each other makes
them even less so.
Copying and pasting whole articles doesn't make your point any more valuable. It's not a historical fact that what you pasted in is a response to the article I linked to because the two happened in a reverse chronological order. You'd know that if you read it since it clearly refers to those specific claims.
This subthread is really why I tend to ignore most crypto debate nowadays. Your points might all be valid, but even if they are/were, this entire subthread would be beside the point here IMHO.
I bought some IOTA a while ago and after doing a Google search on how to generate a wallet seed, it sent me to iotaseed.io. Thankfully though I didn't feel comfortable about a third party website potentially knowing my seed (which cannot be changed later) so I searched for alternatives and found a simple Linux command to do it. That probably saved me some money.
It's still surprising that it was a fraud, it looked like a legit website. It seems almost too blatant a crime given that the Github repo, IPs and the domain name of the site can probably be traced to someone.
But that piece of code should've triggered red flags even if the hacker didn't add a payload to overwrite Math.seedrandom to always use the same seed. The fact that https://github.com/davidbau/seedrandom isn't cryptographically secure should've been enough to turn you away and warn other. And if you read it a bit more you'll notice that it is mostly junk code (unused variables like visitedHash, newindex).
Props to the hacker for the method acting. From the commit log https://github.com/eggdroid/eggseed3/commits/master I would not have suspect any malicious intent and just attribute it to incompetence (which might've worked better underhanded-c-contest style instead of using an explicit backdoor).
I think it's a shame how IOTA users desperately seeking ways to safely generate their wallet seeds on third party software. Souldn't it be a built-in feature?
Using the official IOTA JavaScript library, the address that should correspond to this seed is PUEBLAHRQGOTIAMJHCCXXGQPXDQJS9BDFSCDSMINAYJNSILCCISDVY99GMKAEIAICYQUXMIYTNQCJYVDX, and according to this website, that’s an empty wallet. However, other sites designed to show information about the transaction history of an address just give a 404 error (see here for an example), indicating that either I made an error decoding this address or I’m misunderstanding something about how the IOTA network works.
This for me points out the issue with cryptocurrency in general. Even someone with technical prowess can't figure out how exactly things are supposed to work.
The author is a high school student who has written very basic HTML/CSS and some C projects, including one as a joke. This is not to say all HS students can't figure out how to use Bitcoin, but you might be overselling the experience/aptitude of the author in order to make a biased point against cryptocurrency.
Aha, I don't care if the author is 13 or 70. The article clearly demonstrates they are much, much more technical than the average user. Crypto UX is clearly an issue. (And I'm a massive crypto fan!)
They do seem to have at least some degree of technical proficiency, and their error isn't exactly obvious to me either. (I make no claims about my aptitude, only that I'm old.)
Calling their point "biased" pulls the discussion into emotional territory instead of being constructive. They might simply have assumed technical prowess.
Are you going to reject cars as well, on the basis that a trained mechanic can't necessarily determine how a nonstandard and baroquely designed car has broken?
do anyone prosecute this kind of hacks? or just because is a token without legal status is like stealing Sheldon's gear in WOW.
This kind of pre-generated seed hack is quite dangerous, a lot of mobile apps, don't have deterministic build so you can't be sure the open source version is the same as the one from apple store, and I bet Apple won't do such a thoroughly search.
considering how rabidly most cryptocurrency supporters denounce the government and the banking system and wall street and evil regulations, you would think they would be livid at the idea of a government(!) prosecuting people for anything related to cryptocurrency.
I'm a cryptocurrency supporter but I'm not anti tax or anti government. I genuinely think that decentralized trust based systems such as blockchain have a place in our world even alongside government.
With that said, I would like to believe that if caught, these types of seed hacks could be prosecuted. (If viable)
> I'm a cryptocurrency supporter but I'm not anti tax or anti government.
The GNU Taler project might be interesting to you, then.
It is based on design decisions that are refreshingly different from classic crypto currencies (who implement more an anarcho-capitalism mindset). Because of those design differences, I'm not sure if it should be considered a crypto currency or not. (They themselves do not.)
(Too bad I can't edit my original comment anymore here on HN. I find it disgusting to have helped spread a scam website and not being able to fix that afterwards.)
So as a non-cryptocurrency suppporter, what's the point then? Making things distributed necessarily makes it slower and harder/more expensive to regulate (let alone operate). Not to mention the high volatility which is the primary thing that gives a currency any value (hence, why the US Dollar is considered the reserve currency of the world: its stability). At some point, a duck is a duck. This duck is a fun experiment and someone discovered how to combine proof of work (old concept) with quorums (old concept) and a distributed ledger (old concept) that altogether gave the illusion of something unique and usable. I'm seeing worse usability on all fronts, no endgame in sight (except to move to a new currency when transaction fees get high), little to no regulation, and a worser world in general. It's also ecologically irresponsible (centralized currencies will _always_ be more efficient by definition).
I don't care that I can make a quick buck by preying on people's FOMO, the whole movement is fueled by seemingly emotional, albeit baseless, arguments and bravado.
Maybe if the whole thing is dropped neatly with a bow on someone's desk at a cybercrime unit of the central police in the country where the perpetrator lives. But probably not.
It's not so much because authorities don't consider it a crime, like stealing WoW gear, but because of the difficulties in investigating and prosecuting the case vs the total losses.
The project doesn't currently come with it's own seed generator so users are left using (sometimes) shady third-party services, such as this website.
The developers insist that it's not a currency intended for 'speculation between users' but rather for a particular machine-to-machine usecase, which is how they attempt to dodge lots of the criticism regarding the flaws in both the crypto and UX.
One of the differences is that my ether wallet actively discourages you from running the code off of their website. They insist that you clone it off of GitHub for security purposes. In addition myetherwallet has undergone several security audits.
I sincerely hope you're wrong. The only way to store ETH on a Trezor through integration with myetherwallet. Unless you're just referring to seed generation?
You don't even need that, there's been a bunch of fraud in hardware wallets from people simply pre-setting the seed and shipping them with a "this is your seed, don't forget it" slip. Not everyone will use that seed, but some do, and then they lose their money.
Basically, unless you're 100% vigilant literally all of the time, you're in trouble. This is just one reason why we invented banks, to centralize risk and mitigation.
I think the idea is that the seed and associated private keys are stored securely on a secure element, and they cannot be transferred to your computer. Only a signed message that allows broadcasting of a signed message can. But I could be mistaken?
The chrome app doesn't know the private key and the nano itself only runs signed code unless you imply that the Ledger Company itself planted the backdoor.
I was worried about this happening ages ago so I wrote my own. In case anyone is interested, I believe this is a cryptographically secure method of seed generation, but happy to have feedback from anyone who knows better:
How were multiple people able to use the same wallet? I thought IOTA didn't support address reuse. And how come people didn't notice it already had a balance?
am I the only one who thinks this is neither a new kind of scam, nor in any other way surprising, and that the whole discussion here is hardly about the article but mostly people voicing their general opinions for/against iota?
https://medium.com/@neha/cryptographic-vulnerabilities-in-io...
The CEO of IOTA David Sonstebo tells his users it's not his problem if they lose money using IOTA because they're too dumb to understand the design flaws: https://np.reddit.com/r/CryptoCurrency/comments/7gwl38/hello...
Yikes.
IOTA also relies on a centralized sever owned and operated by David Sonstebo which takes periodic snapshots so transactions can be rolled back if the IOTA devs ever feel the want to. https://domschiener.gitbooks.io/iota-guide/content/chapter1/...
Further reading:
Nick Johnson: Why I Find IOTA Deeply Alarming https://hackernoon.com/why-i-find-iota-deeply-alarming-934f1...
Daniel Rice: Why I Also Find IOTA Deeply Alarming https://medium.com/@thedrbits/why-i-also-find-iota-deeply-al...
Eric Wall: IOTA Is Centralized https://medium.com/@ercwl/iota-is-centralized-6289246e7b4d
Sidenote the founding developer of IOTA, Sergey Ivancheglo claims to have built a time machine http://come-from-beyond.com/about-me/