
Why I find IOTA alarming - 0wing
https://medium.com/@thedrbits/why-i-also-find-iota-deeply-alarming-99d4f2da3282
======
simias
I feel like I'm missing one side of the story. I don't know much about IOTA
but from what I learned reading articles linked on HN today IOTA:

\- Uses custom "ternary" crypto which has been shown to have vulnerabilities
in the past.

\- Has software that doesn't include the basic function of generating wallet
addresses, instead having some users rely on shady 3rd party websites and
getting their coins stolen.

\- Does away with much of what made other cryptocurrencies like Bitcoin work
in the first place in order to remove transaction limitations.

\- Except that the changes required to make this work, at least in theory, are
for the most part not actually implemented yet and there appears to be a lot
of doubts that it can work at all. See for instance this comment on the
article: [https://medium.com/@comefrombeyond/thank-
you-269640e794e7](https://medium.com/@comefrombeyond/thank-you-269640e794e7)
("in the future", "temporarily", "will be using",...). Also note that many
replies in this comment actually deflect the original criticism without
actually addressing it. I don't even understand what that person means by "You
describe the internet", and how that has anything to do with the argument of
TFA.

So basically you have a highly experimental technology (even by cryptocurrency
standards) which is very much unproven (even by cryptocurrency standards) and
yet apparently it has a market cap of $6 billions:
[https://coinmarketcap.com/currencies/iota/](https://coinmarketcap.com/currencies/iota/)

So what's the other side of the story? Can a IOTA enthusiast explain what's
missing from this picture?

~~~
vvangemert
1\. There have been no vulnerabilities in the past. Please read:
[https://blog.iota.org/official-iota-foundation-response-
to-t...](https://blog.iota.org/official-iota-foundation-response-to-the-
digital-currency-initiative-at-the-mit-media-lab-part-1-72434583a2)

2\. If people are unable to generate a simple seed (password) on their own.
How can they even begin to understand cryptocurrency or even new tech based on
IoT? Still, yes it should be in the wallet and it will be added, but only for
investors, I guess?!

3\. Please read the following from their AMA:
[https://www.reddit.com/r/Iota/comments/7goul4/iota_founders_...](https://www.reddit.com/r/Iota/comments/7goul4/iota_founders_ama_summary_of_important_questions/)
and
[https://www.reddit.com/r/Iota/comments/7tltz2/live_interview...](https://www.reddit.com/r/Iota/comments/7tltz2/live_interview_with_david_s%C3%B8nsteb%C3%B8_founder_of/)

Is their market cap justified? Is the entire crypto market cap justified? The
whole idea is to invest in tech that can change the future. Who knows which
party will be the winner. It's a dare to believe in something magical, like
IOTA. Or put your luck into something more real like Bitcoin, for example.
Alas, it's good to have doubts, but this blogpost is alarming and not IOTA.

PS: A small portion of my crypto investments are in IOTA, but never press your
luck on a single coin.

~~~
lgierth
> 1\. There have no vulnerabilities in the past.

I don't know man, the MIT Digital Currency Initiative found a pretty bad one
last August:

[https://medium.com/@neha/cryptographic-vulnerabilities-in-
io...](https://medium.com/@neha/cryptographic-vulnerabilities-in-
iota-9a6a9ddc4367)

> the IOTA developers had written their own hash function, Curl, and it
> produced collisions (when different inputs hash to the same output). Once we
> developed our attack, we could find collisions using commodity hardware
> within just a few minutes, and forge signatures on IOTA payments. We
> informed the IOTA developers, they patched their system, and we wrote a
> vulnerability report

~~~
vvangemert
You should really read my first link and
[https://twitter.com/c___f___b/status/956445618381246464](https://twitter.com/c___f___b/status/956445618381246464)

The MIT-DCI are not credible..

~~~
lgierth
I value the MIT Media Lab and its DCI group pretty highly. There is nothing
about the Media Lab or the DCI in that first link of yours. [1]

So what were you trying to say?

What I did find in that first link of yours [1] is this gem though:

> The IOTA hash function, Curl-P, was designed to allow for practical
> collisions. The IOTA protocol’s security depends solely upon the one-wayness
> of the function, not its collision resistance. The rationale behind the
> design of Curl-P is a much more complicated question which we explain in
> detail.

This statement is alarming on so many levels.

[1] [https://blog.iota.org/official-iota-foundation-response-
to-t...](https://blog.iota.org/official-iota-foundation-response-to-the-
digital-currency-initiative-at-the-mit-media-lab-part-1-72434583a2)

// edit: oops, I see now that it's a multipart post, so I'll have a look
there.

// edit: yeah okay, nothing of substance in the other parts either.

~~~
fabian2k
Part 4 explains the Curl-P part in more detail, and it doesn't inspire any
confidence. They are claiming that they intentionally inserted a known bad
hash function in the open source part of the code, so that anyone "fraudulent"
clones would be useless. The closed source coordinator is claimed to avoid
this problem by some way, so they claim that the IOTA network is not affected.

I'm having a very hard time believing that explanation, but even if I do, it's
still something that shows bad judgement in my opinion.

------
StavrosK
Oh man, this article reminded me I should sell what little IOTA I have, so I
tried to. Here's what happened:

I launched my wallet and saw a zero balance and zero transactions. I looked
around and heard from some friends that I need to convert my funds or
something, because there was a "snapshot" yesterday.

I clicked the "re-attach" button and waited for a few minutes. It failed, so I
did it again and again and again. After half an hour and five times or so, it
succeeded and I could see my balance.

I tried to send funds, the wallet said "sending" for around ten minutes, and
then it finally said "success". I waited for the funds to confirm (there were
three transactions, two of which were zero for some reasons), but 70 minutes
later it still hadn't.

A friend told me I should "re-attach" the transaction and "promote" it.
Apparently, "promoting" sends five transactions that reference yours, to
confirm it. I imagine the transactions are zero-fund transactions that just
spam the network to self-confirm your own one. Who confirms the confirmers?

This is absolutely _insane_ and I can't believe this thing ever got traction.
It feels like hacks upon hacks upon hacks. It doesn't even work right! Did
_any_ of the people who bought these coins try to ever use them for anything?

~~~
cocktailpeanuts
No offense but your comment is unintentionally humorous because you're asking
all these sane questions blaming the mindless people who bought into IOTA, but
you happen to be one of them as you describe yourself.

> This is absolutely insane and I can't believe this thing ever got traction.

It got traction because people--including yourself--bought into it without
thinking much.

> It feels like hacks upon hacks upon hacks. It doesn't even work right! Did
> any of the people who bought these coins try to ever use them for anything?

Yeah, like yourself. You never actually tried to use the coins for anything
until this point when you are now finally trying to "cash out".

~~~
StavrosK
> You never actually tried to use the coins for anything until this point when
> you are now finally trying to "cash out".

An alternate (and correct) interpretation is that I bought IOTA as I thought I
may end up using it in my IoT projects. I didn't (probably because nobody
working for IOTA actually cares about IoT), and now I want to sell them for a
more useful currency.

Not everyone wants coins for speculation, but you're forgiven for thinking
otherwise.

~~~
enraged_camel
The other possibility (not just you and IOTA, but for others) is that a lot of
coins have free offerings at their launch to get things off the ground.
Stellar is an example.

So yeah, just because someone owns coins doesn't mean they are/were mindless
speculators.

~~~
StavrosK
Oh, true, they did give out some coins (me included).

Yet another possibility (which is how... a friend of mine... uses coins) is
buying weed from the dark web. That's a big use case right now.

~~~
bitoneill
I bought my first legal weed in California yesterday and it was a very
interesting experience. I don't usually smoke but I wanted to see what the
store was like. It was strictly cash only. They had several ATM's installed in
the building. Security was tight for this reason. It's hard to process that
it's now legal.

~~~
StavrosK
Is it completely legal now? Do you no longer even need a prescription?

~~~
bitoneill
It is completely legal now and I didn't need a prescription card. They asked
me if I had a prescription card, for what reason I don't know, because I've
never had one and they don't require it anymore. I think perhaps medical
clients get discounts or special deals?

~~~
spookthesunset
Probably asked so they don’t charge some kind tax or something...

------
thisisit
I have been on HN for 3 years now but I have never seen anything like this
thread. There are sheer amount of sockpuppet accounts being created to defend
IOTA.

~~~
Lewton
You know how people can get irrationally invested in defending gaming consoles
because they’ve bought one for $500?

Imagine what it feels like when you have tens of thousands of dollars invested
in something where the flamewars might actually have a real effect on whether
you ten-double your investment or not

I think it’s gonna get much uglier than this down the road

------
machinecontrol
It's fascinating how some cryptocurrencies are starting to generally move
towards centralization and away from the core principles of Bitcoin.

------
raitucarp
I just copy paste from CfB's response, in case you missed it:

Thank you. This article was useful for me, it showed what details of IOTA
haven’t been highlighted yet. Below I list incorrect things from the article,
if you find time it would be great if you paid more attention to them and
shared your thoughts:

“IOTA has no limit on transactions and therefore, it has no limit on bandwidth
requirements or disk space.” — In the future the majority of the nodes will be
swarm nodes forming clusters and using Swarm Intelligence. A swarm can process
more transactions than a single full node.

“This means, if you run a full IOTA node, anyone on the IOTA network can write
data to your hard drive with just a small, extremely low cost proof-of-work.”
— IOTA was created for the Internet-of-Things with network-bound PoW in mind,
the current state of things is temporary.

“Over time, the IOTA transaction set size can grow unbounded, leaving only
storage farms with the resources required to host the data.” — This is
incorrect even for Bitcoin because of pruning techniques.

“My past experience working at companies that develop hardware products tells
me this does not make sense in any other way but a marketing bullet.” — While
this thing is likely correct I decided to list it here. IOTA team has
experience working at companies developing hardware products too. Even more, I
bet your smartphone contains a chip developed by one of our advisors.

“IOTA claims their Ternary-based Proof-of-Work function will work with IOT
because it uses minimal power, but I contend that any power usage more
significant than signing a transaction is too much because there is another
alternative approach.” — As I already said, IOTA will be using network-bound
PoW, which will be consuming less energy than required for a transaction
signing.

“Contacting a central server run by the company that built the IOT device,
announcing the need to submit a transaction at which point the centralized
server will submit the transaction on the device’s behalf.” — You described
the Internet, not the IoT. Please, refer to “Connectivity” section of
[https://iot.ieee.org/newsletter/march-2017/three-major-
chall...](https://iot.ieee.org/newsletter/march-2017/three-major-challenges-
facing-iot), it explains why you are very wrong.

“In the case of IOTA the client software design intends to kick nodes off the
network that do not participate enough, so being even just a passive listener
is not an option.” — And again you talk about the Internet, not about the IoT.
Googling for reasons of not using IP(v4/v6) should show you the mistake.

I don’t mention insignificant mistakes in your reasoning, all those seem to be
caused by the lack of information about IOTA. This is an issue that the IOTA
team is working on.

~~~
tauntz
This is a very.. immature and amateurish response at best, purposely deceptive
at worst.

OP talks about what IOTA _is_. The response is: "You are wrong because we
_hope that IOTA will be different in the future_". How does this response make
any sense at all?

