Pages:
Author

Topic: Steemit how can this thing be workable long term? - page 6. (Read 32368 times)

legendary
Activity: 2968
Merit: 1198
I recently read that Steem's JavaScript wallet system stores the hash of a user's password on the blockchain. This would essentially reduce security to the level of brain wallets. Doesn't this open the possibility of brute force attacks to compromise many of those wallets? All it would take is cheap cracking software and some hundreds of low-hanging fruit wallets with weak passwords.

Recently it was changed to generate exclusively high entropy passwords.






Building on that--what are the plans for further security upgrades? I read a bit on the witness security, but it's been a few days and can't remember the details....

I don't know the witness security thing but the main direction on security seems to be account recovery. This approach accepts that keys will be compromised but makes it less costly. Already there is a system where a compromised account can be returned to its original owner. Next up will be time locked access controls so if an account is compromised, limits apply to the amount of funds that can be removed from the account before it is recovered (this already applied to Steem Power and will be added to the other asset times). The final form of recovery that is planned is being able to designate a group of friends and family (essentially a form of multisig) who can approve recovery from lost keys (including death of the owner without leaving access to the keys to anyone).

Is there a write-up of those features?

https://steemit.com/blockchain/@dan/does-blockchain-security-need-to-be-completely-reworked
https://steemit.com/blockchain/@dan/steemit-releases-groundbreaking-account-recovery-solution

Permission to quote you?/

Sure
legendary
Activity: 1750
Merit: 1036
Facts are more efficient than fud
I recently read that Steem's JavaScript wallet system stores the hash of a user's password on the blockchain. This would essentially reduce security to the level of brain wallets. Doesn't this open the possibility of brute force attacks to compromise many of those wallets? All it would take is cheap cracking software and some hundreds of low-hanging fruit wallets with weak passwords.

Recently it was changed to generate exclusively high entropy passwords.






Building on that--what are the plans for further security upgrades? I read a bit on the witness security, but it's been a few days and can't remember the details....

I don't know the witness security thing but the main direction on security seems to be account recovery. This approach accepts that keys will be compromised but makes it less costly. Already there is a system where a compromised account can be returned to its original owner. Next up will be time locked access controls so if an account is compromised, limits apply to the amount of funds that can be removed from the account before it is recovered (this already applied to Steem Power and will be added to the other asset times). The final form of recovery that is planned is being able to designate a group of friends and family (essentially a form of multisig) who can approve recovery from lost keys (including death of the owner without leaving access to the keys to anyone).

Is there a write-up of those features?

https://steemit.com/blockchain/@dan/does-blockchain-security-need-to-be-completely-reworked
https://steemit.com/blockchain/@dan/steemit-releases-groundbreaking-account-recovery-solution

Permission to quote you?/

I think the security was the lightbulb for me--acknowledge the problem and solve it.
legendary
Activity: 2968
Merit: 1198
I recently read that Steem's JavaScript wallet system stores the hash of a user's password on the blockchain. This would essentially reduce security to the level of brain wallets. Doesn't this open the possibility of brute force attacks to compromise many of those wallets? All it would take is cheap cracking software and some hundreds of low-hanging fruit wallets with weak passwords.

Recently it was changed to generate exclusively high entropy passwords.






Building on that--what are the plans for further security upgrades? I read a bit on the witness security, but it's been a few days and can't remember the details....

I don't know the witness security thing but the main direction on security seems to be account recovery. This approach accepts that keys will be compromised but makes it less costly. Already there is a system where a compromised account can be returned to its original owner. Next up will be time locked access controls so if an account is compromised, limits apply to the amount of funds that can be removed from the account before it is recovered (this already applied to Steem Power and will be added to the other asset times). The final form of recovery that is planned is being able to designate a group of friends and family (essentially a form of multisig) who can approve recovery from lost keys (including death of the owner without leaving access to the keys to anyone).

Is there a write-up of those features?

https://steemit.com/blockchain/@dan/does-blockchain-security-need-to-be-completely-reworked
https://steemit.com/blockchain/@dan/steemit-releases-groundbreaking-account-recovery-solution
legendary
Activity: 1750
Merit: 1036
Facts are more efficient than fud
I recently read that Steem's JavaScript wallet system stores the hash of a user's password on the blockchain. This would essentially reduce security to the level of brain wallets. Doesn't this open the possibility of brute force attacks to compromise many of those wallets? All it would take is cheap cracking software and some hundreds of low-hanging fruit wallets with weak passwords.

Recently it was changed to generate exclusively high entropy passwords.






Building on that--what are the plans for further security upgrades? I read a bit on the witness security, but it's been a few days and can't remember the details....

I don't know the witness security thing but the main direction on security seems to be account recovery. This approach accepts that keys will be compromised but makes it less costly. Already there is a system where a compromised account can be returned to its original owner. Next up will be time locked access controls so if an account is compromised, limits apply to the amount of funds that can be removed from the account before it is recovered (this already applied to Steem Power and will be added to the other asset times). The final form of recovery that is planned is being able to designate a group of friends and family (essentially a form of multisig) who can approve recovery from lost keys (including death of the owner without leaving access to the keys to anyone).

Is there a write-up of those features?
legendary
Activity: 1260
Merit: 1116



Good work.   Using shitcoin pumps to help is great.


I hope (lifestyle-altering amounts of) scamshilling doesn't change smooth.

It would suck if he spent all his time on beaches with his fingers around rum-soaked bollocks, instead of slumming around the altcoin ghetto with us.   Cheesy

It really is that easy.
legendary
Activity: 2968
Merit: 1198
I recently read that Steem's JavaScript wallet system stores the hash of a user's password on the blockchain. This would essentially reduce security to the level of brain wallets. Doesn't this open the possibility of brute force attacks to compromise many of those wallets? All it would take is cheap cracking software and some hundreds of low-hanging fruit wallets with weak passwords.

Recently it was changed to generate exclusively high entropy passwords.




Building on that--what are the plans for further security upgrades? I read a bit on the witness security, but it's been a few days and can't remember the details....

I don't know the witness security thing but the main direction on security seems to be account recovery. This approach accepts that keys will be compromised but makes it less costly. Already there is a system where a compromised account can be returned to its original owner. Next up will be time locked access controls so if an account is compromised, limits apply to the amount of funds that can be removed from the account before it is recovered (this already applies to Steem Power and will be added to the other asset times). The final form of recovery that is planned is being able to designate a group of friends and family (essentially a form of multisig) who can approve recovery from lost keys (including death of the owner without leaving access to the keys to anyone).

legendary
Activity: 2156
Merit: 1072
Crypto is the separation of Power and State.



Good work.  Keep stealing ch33p XMR from the market and hloding them in your strong hands.  Using shitcoin pumps to help is some great jujutsu.


I hope (lifestyle-altering amounts of) money doesn't change smooth.

It would suck if he spent all his time on beaches in hammocks with rum-heavy tropical drinks, instead of slumming around the altcoin ghetto with us.   Cheesy
legendary
Activity: 1750
Merit: 1036
Facts are more efficient than fud
I recently read that Steem's JavaScript wallet system stores the hash of a user's password on the blockchain. This would essentially reduce security to the level of brain wallets. Doesn't this open the possibility of brute force attacks to compromise many of those wallets? All it would take is cheap cracking software and some hundreds of low-hanging fruit wallets with weak passwords.

Recently it was changed to generate exclusively high entropy passwords.




Building on that--what are the plans for further security upgrades? I read a bit on the witness security, but it's been a few days and can't remember the details....
legendary
Activity: 2968
Merit: 1198
I recently read that Steem's JavaScript wallet system stores the hash of a user's password on the blockchain. This would essentially reduce security to the level of brain wallets. Doesn't this open the possibility of brute force attacks to compromise many of those wallets? All it would take is cheap cracking software and some hundreds of low-hanging fruit wallets with weak passwords.

Recently it was changed to generate exclusively high entropy passwords.


hero member
Activity: 697
Merit: 520
I recently read that Steem's JavaScript wallet system stores the hash of a user's password on the blockchain. This would essentially reduce security to the level of brain wallets. Doesn't this open the possibility of brute force attacks to compromise many of those wallets? All it would take is cheap cracking software and some hundreds of low-hanging fruit wallets with weak passwords.
legendary
Activity: 2968
Merit: 1198
Whales will become totally irrelevant when the user base and posting volume increases by 10x or 100x or even 1000x. There just aren't that many whales and whales have the same voting power restrictions as anyone else. A rare whale sighting will be a big deal.

You presume all whales are benevolent. Stake will eventually end up in a power-law distribution, because perpetual 100% debasement is not sustainable (even the transactions fees of the entire earth could not support it).

Also it is incorrect to say they play by the same rules. 3 x 3 = 9 is not 1/2 of 6 x 6 = 36.

Any way, I have proposed a partial solution.

By voting power I was referring to the declining weight according to frequency of votes placed. Just like anyone else, whales can only make about 40 votes per day without depleting their voting power. So with millions of posts and comments and a handful of whales making at most 40 votes per day each, do the math.

Seems there'll* be a fix for that:

https://steemit.com/crypto-news/@dana-edwards/attention-based-stigmergic-distributed-collaborative-organizations#@alexgr/re-dana-edwards-re-pino-re-dana-edwards-attention-based-stigmergic-distributed-collaborative-organizations-20160722t201600593z

* (already is, but not in the UI)

Yes you can voluntarily reduce your power per vote (I do this occasionally in the CLI) but then you are effectively transformed into a to a group of smaller stakeholders (using 1/10 the vote power as your base vote weight, you can vote as if you were 10 stakeholders each at 1/10 size).
newbie
Activity: 46
Merit: 0
The point of the stopping sign-ups was to revamp the security.  Users must use a strong password generated for them by browser now. The passwords that some people were using were easy to brute force. Some much FUD on this site. This place is the definition of crabs in a barrel.
legendary
Activity: 1708
Merit: 1049
If they are selling: "Oh they are dumping! They are cashing out"

If they aren't selling: "Oh they are pumping the price through artificial liquidity shortage because they control all the coins! Bastards!"

...so no matter what they do they will get criticism.

sr. member
Activity: 336
Merit: 265
To me everything points to the former, closing registration + extending payout time in a last ditch effort to retain value of the hyper-inflated currency...

Registration is open.

Furthermore closing registration is pretty much the very last thing a Ponzi scheme would ever want to do.

I think it's great to see the big fish of monero debone his own reputation for this. You get hundreds of thousands of dollars, I get something to point at and laugh. So this is win-win. Almost...

He is the big winner if he can cash out. Good guys finish last.

Someone wrote today that Ned is raking in $700K per week.
legendary
Activity: 1260
Merit: 1116
To me everything points to the former, closing registration + extending payout time in a last ditch effort to retain value of the hyper-inflated currency...

Registration is open.

Furthermore closing registration is pretty much the very last thing a Ponzi scheme would ever want to do.

I think it's great to see the big fish of monero debone his own reputation for this. You get hundreds of thousands of dollars, I get something to point at and laugh. So this is win-win. Almost...
legendary
Activity: 1708
Merit: 1049
Whales will become totally irrelevant when the user base and posting volume increases by 10x or 100x or even 1000x. There just aren't that many whales and whales have the same voting power restrictions as anyone else. A rare whale sighting will be a big deal.

You presume all whales are benevolent. Stake will eventually end up in a power-law distribution, because perpetual 100% debasement is not sustainable (even the transactions fees of the entire earth could not support it).

Also it is incorrect to say they play by the same rules. 3 x 3 = 9 is not 1/2 of 6 x 6 = 36.

Any way, I have proposed a partial solution.

By voting power I was referring to the declining weight according to frequency of votes placed. Just like anyone else, whales can only make about 40 votes per day without depleting their voting power. So with millions of posts and comments and a handful of whales making at most 40 votes per day each, do the math.

Seems there'll* be a fix for that:

https://steemit.com/crypto-news/@dana-edwards/attention-based-stigmergic-distributed-collaborative-organizations#@alexgr/re-dana-edwards-re-pino-re-dana-edwards-attention-based-stigmergic-distributed-collaborative-organizations-20160722t201600593z

* (already is, but not in the UI)
legendary
Activity: 2968
Merit: 1198
To me everything points to the former, closing registration + extending payout time in a last ditch effort to retain value of the hyper-inflated currency...

Registration is open.

Furthermore closing registration is pretty much the very last thing a Ponzi scheme would ever want to do.
Pages:
Jump to: