Managed to send it privately again. I need to pay more attention to
where I'm clicking ;)



-------- Forwarded Message --------
Subject: Re: [MG] Democratizing Blockchain Governance in Versioning
Date: Tue, 17 Apr 2018 21:59:06 +0300
From: Mikael Sand <***@abo.fi>
To: Scott Raney <***@gmail.com>



Oh sorry, did intend it for the list. I'll resend it, and, I guess I can
just reply to your new comments here as you asked to repost. You can
repost your mail in between as well if you wish, but I'll try to keep
your replies intact.
I understand your sentiment, unfortunately the security faults are
available in published research, I can dig up some peer-reviewed papers
and videos from IT security conferences if you're interested, but some
googling should suffice to find how to do it yourself with relative ease
(often with source code, sometimes just the rough sketch of it). The
chaos communication congress, black hat and def con conference materials
should have you taking out your tinfoil hat quite fast if you're
sensitive to conspiratorial speculation. But the technology exists, and
just accounts for the consequences of the current physical
implementations, hardware and protocol designs, and can mostly be
verified simply by thinking from first principles and the
specifications. I'm not theorizing about who might be conspiring to use
this or not, for whatever reasons, I just either include these published
facts in a specific IT security threat model, or not, depending on the
use-case, for most IT systems they're completely irrelevant. The
importance is not on if it is happening, but rather if it is
theoretically possible at all, physically possible to do within a
certain budget, and if the relevant potential actors have incentives to
spend that budget on it.

If you work with IT security you need to take these publications into
account in some of your threat models either way, they can of course
have varying levels of paranoia in their assumptions, like if you
include state actors and intelligence agencies as potential adversaries
in them it completely changes the picture. Even the top level domain
resolution of the dns system, certificate authorities and the signalling
system 7 (used to set up and route connections, phone-calls and sms
etc.) have known faults and lacks trust in this case. DNSSEC and
DNSCrypt helps somewhat, but only keys shared and verified either in
physical contact or over already secured communications channels and
webs of trust has a chance of handling that as far as I know. And, one
time padding if you need actual secrecy of course, but that won't scale
before we have a cheap source of bell states on a global quantum internet.

Initial trust needs to happen between people who know each other and
meet in real life, then a OpenPGP like web of trust can scale the
network of public keys used for signing the messages (and encrypting if
you need secrecy). Duniter has the most interesting attempt I've seen so
far, for building a web-of-trust and handling the identities and
accounting of who is still living/interacting with the economy in this
manner. The six signatures within the last 100 days and max-distance of
six might not be perfect, but have to start experimenting and measuring
the results somewhere.
Well, if you're going to scale the system out and make it distributed to
be able to handle large loads, network partitions and ddos attacks, then
you'll end up either implementing or using a consensus algorithm of some
sort. Are you familiar with the
https://en.wikipedia.org/wiki/CAP_theorem ? In short, you can only have
two out of these three: consistency, availability and partition
tolerance. You mentioned mongodb before, which now supports running a
primary (+ secondary replicas) and providing either BASE (Basically
Available, Soft state, Eventual consistency) semantics or, starting this
summer in v4.0, multi table ACID (Atomicity, Consistency, Isolation,
Durability) semantics. What conflict resolution strategy are you
suggesting for network partitions? Lets assume AWS or a large part of it
goes down for some amount of time, is the service unavailable until the
connections recover? And the service would depend on a functioning
connection to wider Internet? And thus wouldn't work for organizing
people if e.g. the government, a coup, or a foreign military shuts down
the telecommunications infrastructure?
So, lets assume you've downloaded the archive once, and do it again to
check if any of the old data has changed, and you notice a chunk of it
missing or modified? What now? How do we find the culprit? Was it the
manager? Some IT admin? A bug? An attack?
How much traffic can it handle for this?

Lets say, a majority of users (or relatively large number) would decide
to download the entire archive once or more per day, is this cost
effective? and simple? Perhaps from some perspective, but I don't see
how the auditing would be done reliably without making the normal
verifying users essentially like a ddos attack once the systems gets
large amounts of users. And besides, downloading and checking the data
would only detect the issue, not say what caused it, nor resolve it
automatically using an algorithm made for distributed systems.

Lets say each user needs to generate a private and public key, and sign
their votes/actions/data whenever they add/change something in the
service and include a reference to what was the latest version of the
state, persist this in an event store, and calculate a checksum from the
checksum in the previous last event and the contents of the entire new
event (like git). Then we know it was someone in possession of the
private key corresponding to the public key of the user who
created/caused the change. At this stage you would already have what
amounts to a directed acyclic graph. Can very well be stored in mongodb,
or essentially any other persistence layer. Then if you just add a
consensus algorithm (based e.g. on vector clocks, matrix clocks,
interval tree clocks, or general causal trees), you can make it into a
distributed system which can handle availability, and using something
like latest vote/write wins you can handle conflicts on a per
user/private key event log basis to get eventual consistency (and using
CRDT and/or OT for real-time collaborative data), thus working in p2p
fashion in any network conditions (even highly unreliable and
intermittent ones).

Hmm, you intend a local manager to verify the identity of all the people
using the system? This seems like quite another bottleneck. What would
be the process for verifying the identity? Is the local manager the only
one who knows what screen name corresponds to what living person? Or
what's the auditing process here? What happens when we notice our dead
neighbor adding new votes to the data a few months after them passing away?
Secret ballots in paper-less electronic voting are inherently
incompatible with verify-ability of either the tally or one person one
vote. It makes sense in paper-trail voting, which is required for any
vote-buying/coercion sensitive topics and decisions. But as far as I
understand now, any kind of public internet voting is only suitable for
completely open data. I didn't actually mention secret ballots so far,
and I'm not sure why you're bringing it up.
A private group (already knowing each others public keys) can create
issue specific keys shared within the group, and use symmetric
cryptography to vote in secret from the public on a public ledger, while
maintaining immutability and the potential to audit the decision history
later on. But, this is more relevant to e.g. a security conscious boards
of directors or some specific interests groups, and will probably be
kept in private "block-chains" or using linked timestamping anyway,
which is nothing new. Calculating signatures and checksums for data
integrity checking has been implemented many times over in e.g. all
kinds of military and banking databases, bank-to-bank communications and
others considering similar threat vectors etc. long before bitcoin came.
Inter-bank comms tend to use some of the best key distribution
mechanisms money can buy, then again, many consumer facing internet
banking apps / checkout flows have mostly crap security and very basic
flaws like no escape character handling together with user modifiable
content and hashes, these fall under the "don't give a shit" policy of
banks, insurance covers it, and mostly a consumer client risk factor.
And, block-chain is mostly just a slightly catchier word that happened
to reach the mainstream because of the popularity and hype around
bitcoin and other crypto-currencies.
I'm still confused as to what the auditing process would be in
proxyfor.me? What is the conflict resolution method once someone claims
they have an older backup including data which is missing and/or some
which is fabricated in the current db? What if there are more than one
actor claiming this? With mutually conflicting claims?
How much experience in software development and running distributed
system in production do you have? I'm very interested in seeing your
design and how it easily verifies the good enough correctness, and its
ability to detect bugs, hacks and losses. I'm quite skeptical you've
done any of this yet though, without actually recreating what the field
of computer scientists and cryptographers have made for these specific
purposes. Perhaps there might be some technical jargon I've used which
deserves clarification, please ask if I've used some terms too
ambiguously or in an unclear way, I'm doing my best to express this as
comprehensibly as I can, while I completely understand if it seems very
confusing.
Hmm, well the source code and a sample of the dataset is not really
enough to ensure the correct functioning of a distributed system. Among
other things, it doesn't tell if its refusing to respond to some users,
or if it only shows what the person attempting to verify the data wants
to see about their own data, they would still have to check with others
to see if what they see as others data is actually the same as what the
others see, and establish some common knowledge, about what they know,
what others know, who knows that who knows what transitively, and so on.
I'd much rather have the algorithm establish this rather than do it
manually. If the specification is a protocol, you don't have to trust
the specific implementations, as long as the protocol constrains the
possible interactions correctly, you can use any specification compliant
client to interact with the network and verify what parts of the data
has already reached consensus in what parts of the network.
Too simple in fact, at least to be capable of working as a verifiable
distributed system; unless you intend to have a single primary, in which
case you don't have an actual distributed system with availability, just
some extra scaling out for more and faster reads when network conditions
are good; or unless you use something like Lamport timestamps/Vector
clocks/Matrix clocks/Version vectors/Interval Tree Clocks etc to record
the partial ordering of events and capturing the chronological and
causal relationship in a distributed manner; and, verification of
authenticity, unless you add signatures; and, verification of integrity,
unless you add something like merkle trees. What parts of the process
confuses you? Or what part is not simple enough? Or what parts of these
do you think you're achieving without doing the necessary work?
Essentially a relatively simple interface can describe the entire api
surface needed in a thin-client, the signature and checksum algorithm
choices have acceptable reasoning behind them, otherwise it's a p2p
distributed database like almost any other, except that it actually
works in an existing browser with self-hosting and authoring capability,
like Tim Berners-Lee intended the web to be.
Well, with a DAG, signature and checksum checking, you can use a
consensus algorithm to agree on what data should exist and it doesn't
matter as long as less than the majority of the network is infected, and
a web-of-trust based system can even handle that to a large degree. I
certainly trust cryptography and the very small likelihood that someone
would posses/deduce/brute-force all the private keys, much more, than
any centralized IT-system without either the required data nor
algorithms used for sufficient integrity checking and conflict resolution.
Well, it's not about someone being able to read it, everybody being able
to read it is actually a requirement rather than something to avoid, a
DAG would also have all the data openly readable (unless you write some
encrypted data instead of actual text in a comment field or something,
or if the protocol allows storing arbitrary data then anything can be
stored of course), and anyone wanting to keep their local copy of the
database up-to-date is able to, and can vote while off-line/grid and
distribute the results once they have a connection again, can even have
actual sneakernet as courier of votes/data to/from remote places.
But rather, it's about the potential for backdoors and user specific
massaging of what it responds with, and what is actually used in other
calculations/responses. Simply put, the users need to be able to reach
consensus about the data in the service, otherwise data can
disappear/change without a trace of who/what caused it or any way to
resolve the conflict, thus deserving criticism and eroding trust in the
system before it even gets started.
Well, you might have confused me for someone else, I haven't advocated
for secrecy in any public internet voting system or any other kind of
e-democracy platform, (perhaps many years ago for privacy sensitive
topics, but not since actually looking into building them and reading
some of the security analysis around them). The p2p web is essentially
the opposite to secrecy. And my concerns are mostly about data integrity
and authenticity, to make it good enough such that the security minded
people would be happier with proxyfor.me and to make it feasible at all
to audit what is going on. I'm not sure how you could have confused any
of my reservations being related to secrecy. The only relation to or
concern about secrecy is perhaps of someone in the executive branch or
an external malicious actor attempting to delete/change/add data in secret.

I'm not sure what you consider "the best commercially-available", but
the https://en.wikipedia.org/wiki/Merkle_tree seems almost universally
common. Not sure what brand of it you would consider simple enough. But
if the best commercial options suffice, it seems it's ok to use it as
long as we don't call it a blockchain, or what counts as simple in
distributed systems really? ;) I think you might have confused what I'm
suggesting with nakamoto consensus, which I don't think is a good fit
for this. Dat, ipfs and (secure scuttlebutt) ssb are perhaps the most
evolved forms of merkle trees for the p2p web, even firefox allows
supporting dat:// ipfs:// and ssb:// urls now:
https://blog.mozilla.org/addons/2018/01/26/extensions-firefox-59/ and
DNS integration will keep getting better.

Consensus and distributed systems sure ain't very simple to reason about
that's for sure. But putting an arbitrary limit somewhere such that it's
not even possible to at least eventually resolve conflicts, or that the
system is unavailable in network partitions doesn't seem very great.
These things need to be dealt with on the protocol level, instead of
being hopeful that some lazy it-admins are top notch and keeping
everything in shape in a centralized system (especially in government
IT, where the contracts tend to go to the same old friends each time, at
least in finland), when in reality they tend to be ignorant of many
security issues and they don't even admit/know about it/think it's an issue.

If you think that the dat project and the beaker browsers have bad
choices in their technological decisions compared to some commercial
alternative, I'm very interested in finding out about it and improving
the p2p web using it. But I think you might find that the commercially
available service implement these same categories of general algorithms,
and in many cases the same specific choices, to solve the issues I'm
trying to highlight here.

Sorry for the essay length ramblings, hope at least someone finds some
of it useful.

Regards,
Mikael

Mikael, I for one am finding your remarks very useful. You are now on my
list as someone to approach for advice when my project reaches the point
of having to deal with these sorts of issues. (No good essay goes
unpunished ... :-D)