Posts

Security

avatar of @edicted
25
edicted
@edicted
·
·
0 views
·
10 min read

This one variable is the single most important aspect of crypto by quite a wide margin. In the digital world, our security is our health. If we don't have our heath, we don't have anything.

We see this proven time and time again.

Rugpull after rugpull, or in the most recent case terra/luna systemic failure, we see that if assets aren't secure, they can drop to zero or be stolen (also zeroed) in an instant. Now, that's not a very good way to do business, is it?

If we are running around telling every one to be their own bank, we ought to give them lots of ways to protect themselves. No one in their right mind would ever put their life savings into bitcoin on a hot-wallet stored on their phone. Except people do this all the time and we hear stories of people losing everything, all the time.

This issue is two fold.

On the one side we want crypto to be secure enough so that anyone could put their life savings into it and feel like they made a smart decision, not a dumb one. As I've been reminding everyone for months now, this is an infrastructure issue. The infrastructure just doesn't exist yet, but it's getting built slowly and surely.

Hive is ahead of the game.

When I was talking to Matt this issue unsurprisingly came up. We talked about how easy it is to buy Hive, not because we can trust the stability of the fair-market value to be stable, but because we know it's never going to get stolen.

Account recovery on Hive is a big deal.

It took me a couple years complaining about it to even realize how it actually worked.

Look at this garbage post.

Wow, that post is absolute trash.

The first thing I thought of involves the prerequisites for account recovery. Steem is an open network. Anyone can recover an account. Why then would the standard recovery procedure be the transference of the master key to the recovery account? This needlessly puts the account to be recovered in further danger.

The "master key"?

Wow this was January 2020, and I still had no idea that the master key doesn't even exist on the blockchain. Took me over two years of being heavily entrenched in this community and researching crypto every day... and I'm still learning new things that surprise me.

To be clear, Hive has 4 keys:

  • owner
  • active
  • posting
  • memo

For anyone wondering what the master key does, this is an OFF-CHAIN tool that simply generates the other four keys using a centralized seed password (much like the 12 words you write down for EVM solutions like Metamask). The cool thing about the master key is that the password can be anything. Most people don't realize this because they use a frontend like peakd to generate the master key. A frontend will use the same gibberish passwords as all the rest of cryptography (again, for security).

On a technical level, the master password could be "dog" or any other completely unsecure password, and then it would generate the other 4 super secure crypto passwords from it. I've also seen solutions that are backwards compatible with EVM. Meaning that you could change your keys to one that matched the same seed phrase as your metamask wallet. Again, it's small things like this that are very convenient & modular on a developer level that we aren't even using to the full potential.

Another very nice thing about the master password is that it is combined with the Hive username for extra security. Meaning if one person was dumb enough to use the master password of "dog" for their account, the keys generated would be completely different than another person that used "dog" as the master key on another account.

This is really good for security because it means that a hacker has to target an individual account with brute-force attacks. They can't brute force the master password "dog" and then check to see if any account on Hive used that password. They have to calculate each individual account account on Hive to verify if any of them used that particular one.

This makes brute-force attacks on Hive exponentially more difficult, even if some people are using a less-secure password to generate their keys. The advantage is having the default security be super secure passwords, so that targeting people who don't have them is much more difficult (if not impossible) because it's impossible to know who used a secure password and who didn't.

Timelocks

Hive security and account recovery doesn't work without timelocks. This is why it is so laughable when people say we should get rid of the powerdown schedule or lower it or add a paid option to remove it. Like, no. How about you employ proper accounting techniques and have Hive unlocked in advance, hm? Although I am a fan of my power-cooldown idea, where the first powerdown is instant. But this would be a toggled option with downsides, the main downside being that when you power up it takes a week before your voting power increases (to avoid exploits in powering up and then powering down instantly).

On another note, it is possible to sell locked Hive by borrowing the Hive and shorting the market until it unlocks and you can pay back the loan. So again, changing the timelocks on Hive is totally pointless. It would be much smarter to simply build the infrastructure that allows Hive users to borrow liquid Hive, dump it on the market, and pay back the loan once their powerdown completes. Short the market to pump the price.

In any case, timelocks on Hive are the thing that make account recovery actually work. Without the timelocks the money would just be stolen and that would be that. The main point to be made here is that Hive is one of the few places people can park their money and not have to worry about it being stolen. Because it's locked and we have account recovery, unlike most networks out there.

Well I just use a Trezor or Ledger Hardware wallet!

Bully for you, friend. And you trust these corporations to protect your data and not program in backdoors through the heavy encryption and software updates? We already saw that Ledger was storing copious amounts of user data during their hack and people literally got threatened, kidnaped, and killed over that data breach. And that was just user information like addresses, not even a backdoor into the system.

Hive COMPLETELY removes the need to trust a corporation. Sure, hardware wallets are great and I use mine all the time with Metamask for that extra layer of security. But to assume they can't be hacked or there is no backdoor? That's foolish. We've already seen that if the device is intercepted during transit it can simply be replaced by a hacked device. And again even in this scenario the corporation itself is still trustworthy. What happens when the corporation has to do what the government tells them to do behind closed doors?

This is why I always talk about the need for an airgapped hardware wallet that anyone can set up themselves. If Hive had something like this, wow! We'd have account recovery and hardware wallets that never even connect to the Internet. Try to hack that... lol. Not gonna happen. Would be an incredible development. Alas, I don't live in the future.

But how does account recovery even work?

This is something I was very confused about for a long long time. shoutout to @dan Larimer for inventing it, because it is such an ingenious solution that while I was studying it I came to the conclusion multiple times that it must be centralized with an associated attack vector. It does not. If I'm being honest, if I had developed something like this I'd be pretty annoyed that no one was was really talking about it in the higher-up crypto world.

Again it is an absolutely brilliant solution

When your OWNER key becomes compromised and you need to recover your account, you contact your "recovery account" OFF-CHAIN. You verify to this person/entity that you are the rightful owner of the account. This could be done in many ways.

  • A phone call to your best friend.
  • The same way WEB2 does it (email/password 2fa).
  • Smartphone f2a.
  • Google auth f2a.
  • Some other encrypted solution.
  • Asking pretty please?
  • Whatever.

The point is:

The recovery account then has a choice to make: is this the rightful owner of the account, or is it a scammer? In most cases the scammer scenario doesn't even make sense. The person looking to recover there account is doing so because the owner key changed one time. This implies that the thief who already owns the account is asking for recovery, which doesn't make sense because they already control the account. The only reason to do this is to confuse the recovery account as to who the rightful owner is, and I've never heard of this happening before (not even in theory until just now talking about it).

So the recovery account finds out that the rightful owner of the account wants to change the owner key to XYZ. They sign this transaction on chain with their active key as the recovery account. "This account that I am the recovery for will change owner key to XYZ."

This is the part that confused me.

If the recovery key can run around changing the owner key, that's clearly a centralized security breech right? What happens if they get tricked or are malicious? Centralized attack vector is centralized.

But it's not centralized though.

Because the only way to actually change the key to XYZ is if the original owner signs the transaction with the old key that was stolen. In fact, any owner key that was valid in the last month could sign the recovery transaction to change the owner key to XYZ. What happens if the thief signs the transaction instead of the rightful owner? Same outcome, the public key changes to XYZ and the rightful owner takes possession of the account.

What happens if a scammer tricks the recovery account into changing the owner key to something they control? Doesn't matter, because again, that transaction doesn't get finalized until it is signed with a key that was valid within 30 days. The scammer never had the key to begin with, and the recovery account doesn't have this information either.

That is the beauty of this system. It adds ZERO attack vectors and creates a system were all of us can recover our accounts without having to worry about any security being compromised by the solution. In the world of crypto where all "solutions" are actually just tradeoffs and sacrifices, account recovery stands in that special place where it just works and there are no drawbacks. It took me multiple years of researching crypto before realizing just how elegant a solution it really was.

Of course part of the reason many do not understand this process is because most people never actually have to use it. That's the goal right? To never use account recovery in the first place. No one wants their keys to get stolen. But in the case of Hive even if this happens we can get most of our money back (assuming it was powered up or in the savings accounts). That's a powerful backend design that has yet to reveal its true usefulness to the world of crypto.

RESET ACCOUNTS

Reset accounts are something that I figured out about when I was learning the Hive API. A day later I realized that reset accounts exist, but the code is disabled and the witnesses do not enforce them. That's because unlike recovery accounts, reset account DO some with a crippling attack vector.

How many accounts on Hive lose their private key and that account becomes derelict and owned by no one? It happens quite often. Very sad. Most people it happens to assume that there will be some way for them to recover their account, not realizing the critical differences of WEB2 vs WEB3 where we own our data directly. If you lose data that you own... you lost it. There is no magic WEB2 fairy to give it back... unless you have a reset account.

A reset account allows the arbiter to fully change the owner key to whatever they want in a fully centralized way. In essence, the reset account becomes the new owner with no questions asked. However, the reset account can only enact a reset if the account they are privy to goes inactive for a certain amount of time (say six months). The associated attack vector is obvious: if someone just goes inactive and didn't lose their keys their account could get stolen for no reason.

Personally I think witnesses should reactivate this code.

Obviously it should be fully optional with the ability to change the reset account to @null whenever they want, but still I think something like this would have a lot of value in many circumstances where noobs are running around losing their keys.

For example, Hive is working on 'Lite Accounts' across multiple platforms (leo, splinterlands, spk). These Lite Accounts control the keys directly so that noobs get a WEB2 experience on WEB3 until they figure out how to secure their own keys. Enabling the reset account would allow these custodians to build an even better transition to WEB3. Even after they keys are changed and the noobs are looking after their own keys... if the custodian was the reset account it would still be able to salvage the account even if the noobs lost their keys. We should definitely enable this code as an option. Honestly I would love to hear the thoughts of lead devs like @blocktrades or @smooth or whoever on this matter. Surely there are reasons to leave it disabled but I feel like we can't scale up without code like this being activated.

Final thought

Price stability is also a kind of security. I talk about this a lot: how many popular cryptos of the future will have a stablish price point with high yields and high inflation. Even if I'm wrong on that particular prediction the main argument still rings true: people don't like the volatility of crypto and it's a big hurdle to adoption. I may be wrong about how it happens, but I'm not wrong about the end result. Token stability and utility can be thought of as a kind of security that users can count on.

Conclusion

When it comes to money, if we don't have security, we don't have anything. The infrastructure does not exist to give people peace of mind when it comes to their funds. Doesn't matter where those funds exist. Could be crypto, the stock market, or legacy banking; security is lacking in every department. Luckily crypto is evolving every day and will eventually come up with the solutions required for people to trust that they can put their life-savings on-chain, but until then we just have to keep grinding forward and build out the infrastructure. These things take time. hodl

Posted Using LeoFinance Beta