Hive Keychain Independent Audit Proposal
Everyone loves Hive Keychain, it is the only way to use many of the Hive Dapps and still feel safe.
One thing that has always concerned me of Hive Keychain is it has never been audited by a third party. There are many situations that may arise that put users of the Hive Keychain extension at risk. Some of these don't even involve the developers of the extension themselves.
Hive Keychain relies on a lot of trust that it is safe and remains safe. Most users store their posting, memo, and even active keys in Hive Keychain.
I have consulted a few crypto software auditing companies to get a rough idea what it would cost to audit Hive Keychain for secuity issues and it isn't cheap. When you start trying to audit every release, it gets even more prohibitively expensive.
The cheapest I have found is $24,000 for an initial audit, with a 10% discount on future audits as code changes. That's another $21,600 for each release of Hive Keychain.
This proposal would provide one year of auditing of Hive Keychain, which I would do personally. I have first hand knowledge of the Hive Blockchain and experience in information security (it is in fact my career).
My offer
What I am offering is an initial and complete audit on the Hive Keychain extension on both Google and Firefox web stores. Once this is complete, I will monitor all future updates of the extension and audit the changes for potential issues. I will decompile and audit the actual released version of the extension to ensure I am looking at the code actually deployed in case for whatever reason it differs from the Github repository.
This audit is security focused only and will not look for bugs or optimizations.
I would ask for 61 HBD/day for 365 days, renewed yearly. To submit this proposal will cost 1 HBD/day beyond 60 days, the additional 1 HBD/day would be used to reimburse this cost. 60 HBD/day would be compensation for my time throughout the year. This would result in a total of 21,900 HBD, a few thousand under the lowest offer to only audit the extension once. I will provide that as well as future reviews in a reasonable time after new releases.
I believe it is critical a third party reviews Hive Keychain (me or otherwise) not only once but on an ongoing basis to ensure it remains a safe option for Hive users. This proposal would offer a independent and ongoing audit of the most critical critical piece of software used by most Hive users on a daily basis.
There is currently no active proposal for this audit, but if the community feels this is something they would support, I will draft it up and update this post.
Posted Using LeoFinance Beta
This is an excellent proposal and I will support it.
We are so reliant on Hive keychain and as more and more new Hive based apps come out I want to be able to sign into them using keychain without worrying that some new app might be an exploit of some keychain weakness.
I had blind faith in hive keychain. Never knew that it was not audited. Where can we check all the active proposals ?
https://peakd.com/me/proposals
!BEER
View or trade
BEER.Hey @themarkymark, here is a little bit of
BEERfrom @crypto-is-a-scam for you. Enjoy it!Learn how to earn FREE BEER each day by staking your
BEER.A couple semi-hostile questions in anticipation of a real proposal, so you can head them off:
Who are you, anyway, and why should we care? Why would the community support and trust your audit specifically?
What is the state of the Hive Keychain code? Is it open-source, and if not, could it be better to make the Hive Keychain code open-source for better community audits, perhaps after an initial audit as you propose?
I am Marky. I've built a reputation here, that I believe speaks for itself, love or hate it.
Someone should do it, it has been left undone for far too long. It should be someone with no ties or incentive from the original team. I have neither.
It is open source but unreviewed (as far as I know).
In my opinion, it is highly used and if something were to go wrong could potentially cause catastophic results.
Yes, I can verify that Marky is well known and has a substantial reputation on Hive.
I may not agree with him all the time but he certainly knows his code.
I know who he is. I've been supporting him as witness for ages.
I know this. I would hope others do. But it's something you still should note in any official proposal. At least a couple lines.
Agreed. I think it is worth the effort.
!BEER
View or trade
BEER.Hey @themarkymark, here is a little bit of
BEERfrom @crypto-is-a-scam for you. Enjoy it!Do you want to win SOME BEER together with your friends and draw the
BEERKING.I'd support this.
If anyone should do it, it should be you. I was just chatting with @bleepcoin last night and told him that you have given me a few good security recommendations, with my favourite being Bitdefender.
Anyway, you have my vote mate.
Cg
I'd support this proposal, good idea
I like this idea and while some would ask why you, the fact you have so much at stake actually give me confidence. Somy major question is ... what if you do find something? What will be done and what would your proposal be?
I would immediately cease using it and report it publiclly. The risk exposure is huge if there are any issues, but I don't suspect to find anything to be honest.
Thanks for the reply, actually one more reason I would suggest you do it over a third party, your reach would mean people would pay attention
!BEER
View or trade
BEER.Hey @themarkymark, here is a little bit of
BEERfrom @crypto-is-a-scam for you. Enjoy it!Did you know that you can use BEER at dCity game to **buy dCity NFT cards** to rule the world.
This is a great point and it would be good to outline before work begins what types of actions would be taken in different scenarios.
Who would access the severity 9f the risks. Etc. If you find something how is it communicated to the community.?
I have the same trust or distrust in you or devs. I don't know any of you, so for me is just a waste of time and resources.
Posted Using LeoFinance Beta
That's perfectly fine mate.
TNO is a point of view, but it doesn't get much done in the end.
Eventually we all have to make a decision and trust someone unless you're doing the crypto-maths to sign every post on Hive by hand.
Good work,
It will certainly get my support (even though that's not much). I use the keychain daily and it would be nice to know someone is looking at the code to make such it is safe
On a side note, how safe is the kiwi browser? (If you've come across it). It is a browser that always mobile users use google extensions like hive keychain on their phone
I have heard of it, but I have not used it. I haven't really had a need to run extensions on mobile. I run very few extensions personally.
Yeah, I remember your post on web extensions and the security risk they pose which is why I use very few myself.
I would support it. It is something which needs done
I think that this proposal is very interesting, is important to have our security standards high but I'm confused, shouldn't be the Keychain team who has to hire that auditory?. They could make their own proposal, or afford it directly. After all is their service the one that will have the benefit of it.
I think that I'll support this anyways but any answer is welcome.
The idea is having an independent part that is not in anyway part of the same team.
Well that's the expected when you hire an auditory, wouldn't have sense otherwise but I get your point.
We're running on a 9k/month budget, it would mean consuming over 2 months budget every time, we push an update (and push a lot of those to always keep it secure and up to date), So, this wouldn't be feasible for us at this stage.
Would have been enough with another specific proposal for the auditory then. Is good that someone else cared to do it though.
This is a great proposal and i support the audit.
It would make it more valuable to the hive community if an independent agency was also involved at some level in addition to your work.
Would this be possible?
If you want to pay another $24,000+ per audit, sure.
I'd trust @themarkymark to do the job better and be even more trustworthy than unknown outsiders.
The simple truth is this stuff isn't easy to check and paying for someone who already knows Hive intimately means we get that back knowledge for free instead of paying 10's of 1,000's for someone new to come up to speed.
Couldn't agree more as he is a godsend helping others on here and is 1000% trustworthy. I would say it is an advantage to have someone on Hive look at it as they know all the ins and outs of where weaknesses could be and if there are any threats.
Posted Using LeoFinance Beta