
Cryptographers Urge People to Abandon IOTA After Leaked Emails - charlysl
https://spectrum.ieee.org/tech-talk/computing/networks/cryptographers-urge-users-and-researchers-to-abandon-iota-after-leaked-emails
======
Roritharr
The crypto space to me is really frustrating. I've seen friends become
something very close to scammers, I can't have interesting technical
discussions about the topic without being called doomsayer and even when I
pitch an idea what to use the Blockchain for, all I get is:"let's do an ICO
and raise a shitton of money!" although that doesn't really make sense towards
what I'm proposing.

I feel like the nerd in class that hopes that the teacher (regulatory bodies)
will pinch those bullies so we can get back to topic. I hate that feeling.

~~~
mratzloff
I had a conversation with a guy creating a crypto startup recently. It only
took five minutes in before the thin veneer of an actual business model fell
away and the real motive—free money—starting coming out.

His position, distilled: if people are stupid enough to give me money, who am
I to say no?

I suggested his easy money might not be so easy if (for US investors) the SEC,
FTC, CFTC, etc. crack down and claw back investor money. Maybe that's fine if
you've become hugely profitable in that time, but if you haven't...

~~~
dingo_bat
I agree with your friend. Dumb people will give away their money anyway. Might
as well give it to me. What's wrong with free money as long as I'm not doing
illegal stuff.

~~~
alex_hitchins
Morals, ethics?

~~~
roymurdock
If investors are giving money based on lies, there’s a legal system in place
to help them recover failed fraudulent investments. I’d wager in many cases
investors know exactly what they’re investing in. So I don’t see any
ethical/moral conflicts in a lot of these BS cryptocurrency schemes, just a
lot of wasted potential and a somewhat shameful divergence from the idealistic
core tech - private, trustless transactions through a decentralized blockchain
(bitcoin).

~~~
alex_hitchins
Stunned by that comment. Stunned.

~~~
roymurdock
I almost didn’t write it and knew I’d be downvoted. Many folk that hang around
HN are very idealistic myself included. My main point is that you shouldn’t
feel sorry for cryptocurrency investors; many know exactly what they’re
gambling on. Easy money and BS “tech innovation” being used to grab portions
of that cash pile is the reality I see. What’s your opinion of the mkt?

~~~
sangnoir
> My main point is that you shouldn’t feel sorry for _cryptocurrency
> investors_ ; many know exactly what they’re gambling on.

This category is broader than you imagine and now includes unsophisticated
individuals who can't tell the difference between the blockchain and a bike
chain. Lately, I've been hearing a lot of "invest in bitcoin" talk from people
who are not well-informed, and do _not_ know what they are gambling on. What's
illegal for penny stocks should be equally illegal for cryptocurrency - the
Feds should crack the whip.

~~~
roymurdock
It's not hard to understand the high risk, high reward investment principle.
There are plenty of safe index funds, blue chip stocks, and bonds available to
retail investors/unsophisticated individuals. It's not difficult to understand
that cryptocurrencies are _highly_ speculative. I would never advise my
parents to buy bitcoin, ethereum, or any other cryptocurrency without adding
the caveat that they be prepared to lose everything in an exchange hack or
some other shady behavior.

I can understand the need for the SEC to protect investors when it comes to
investment into traditional companies - regular people can't read a 10k and
don't sit in on analyst calls that are mandated for public companies
registered with the SEC. But if you're investing in an unregulated, highly
risky asset, where you don't understand any of the assets or technology the
company owns...come on man.

~~~
sangnoir
> But if you're investing in an _unregulated_ , highly risky asset,

A lot of people are about to find out that cryptocurrencies are, in fact,
regulated. It's weird to see some techies agree with the idea that "pedestrian
thing, _on a computer_ " patents are invalid (because the "on a computer" bit
is irrelevant), but when it comes to "fraud/misrepresentation _on a computer_
", then it suddenly needs to be legally special-cased as somehow different.
Intangible/abstracted assets predate cryptocurrencies - there's nothing new
about crypto in the eyes of the law.

------
arcticbull
58 days ago I posted a bunch of evidence about why IOTA didn't make sense:
[https://news.ycombinator.com/item?id=16039802](https://news.ycombinator.com/item?id=16039802)

I think Bruce Schneier's take was particularly prescient: "In 2017, leaving
your crypto algorithm vulnerable to differential cryptanalysis is a rookie
mistake. It says that no one of any calibre analyzed their system, and that
the odds that their fix makes the system secure is low."

The question is, though, is this going to make a difference to the people
playing? Very little about the crypto space makes any sense. It's in a lot of
ways just a database but harder -- so much harder -- because the community
insists nobody can be trusted. In reality there are very few situations in
which you really can't trust one other entity.

~~~
wepple
I’m beginning to feel that any type of gentle academic evidence of flaws in a
given scheme or technology in the crypto currency space is blasted as “FUD”,
so

Here’s a though exercise: if all the cryptocurrency communities call out
research as paid shilling FUD, are we morally obliged to exploit weaknesses
and attempt to demonstrate flaws with actual real collateral damage?

~~~
xbkingx
That's the world today - ignore facts that don't agree with your reconceived
views and deny deny deny.

The problem with exploiting vulnerabilities for personal gain is that you're
hurting more innocent investors, too. It's kinda like carpet bombing, in that
you'll accomplish your goal of killing the enemy, but you're taking a lot of
other people with them because they have a spurious link.

OTOH, maybe you can gain enough influence to make changes that would
marginalize or punish the corrupt operators. A lot of these quasi-cryptos have
a hidden layer to prevent this (Ripple, IOTA, etc.). Their coins are more like
unregulated stock in the founder's company than a decentralized machine. I'm
not sure if that makes them more or less susceptible to a single, strong
outside force. They could simply delete your coins, but without knowing the
exploit that's just temporary. You would have an actual target (other than
'the system'), which you could pressure (aka blackmail), but they could cash
out immediately and walk away.

If I was running a scamcoin (and a terrible person) I'd probably bring the
exploit finder into the inner circle to gain positive media (with the
associated price bump), wait for the first major act of the new person and
then cash out, step down, and disclose the vulnerability. Spin it as the new
person trying to cover up problems they caused or improperly addressing the
original problem and preventing a good solution.

To counter that, the exploit finder could condition their involvement on
releasing the hidden layer's source as a matter of transparency, but really be
working on a way to fork without the hidden layer or replace it with a
democratized layer. Now you can claim the founders were greedy and didn't want
to fix the exploit, and that your working solution was rejected because it
took away their ability to manipulate the market. Turn it into an announcement
of the new 'fixed' coin.

It'd be a fun movie plot, but probably terribly boring to watch.

------
boreas
As an aside, is there anyone else extremely disappointed with the quality of
discussion over at /r/cryptocurrency? This conflict over IOTA has been
unfolding for a long time and the guys on that subreddit defend it
fanatically, accusing DCI of "FUD"ing IOTA. I am not sure if the subscriber
base is technically illiterate or users that hold a given coin have a strong
incentive to dismiss any criticism.

As someone fascinated by the technology in the crypto space but very skeptical
about the real-world usefulness of many of these projects, I wish I had a
better forum to read beside the odd HN post.

~~~
justboxing
> This conflict over IOTA has been unfolding for a long time and the guys on
> that subreddit defend it fanatically, accusing DCI of "FUD"ing IOTA

It's not just IOTA. It's more or less any of the top 10 / 20 (by MarketCap)
Crypto-currencies on the respective sub-reddits. It's especially bad on
r/Ripple where anything critical of Ripple / XRP is instantly deleted by the
mods in the name of F.U.D (Fear, Uncertainity, Doubt), and even a small +ve
news is posted several times in a day, even trials of Ripple that doesn't even
use XRP for the transactions.

And then there was this self-proclaimed shill who described in great detail
how he made tons of money shilling various coins on reddit.
[https://www.reddit.com/r/CryptoCurrency/comments/7xkm0z/i_wa...](https://www.reddit.com/r/CryptoCurrency/comments/7xkm0z/i_was_a_paid_cryptocurrency_shill_iam_here_to/)

From what I've observed on r/Cryptocurrency and related coin subs on reddit
over the past month or two, Reddit is being carefully manipulated by whales
and scam coin creators to attract bag holders and manipulate the markets for a
quick profit. And many of the mods engage in circle-jerk postings, maybe they
are in on it too. Who knows.

~~~
Waterluvian
There may be people in on it, but I wouldn't be surprised if it's
overwhelmingly just people defending their position. I've seen the exact
behaviour I see at r/cryptocurrency in video games. No Man's Sky pre and post
launch was exactly the same. Sensible people casting doubt on what it is you
actually do with the game, being shouted down by those who are convinced it's
going to be the greatest thing ever. Then lots of defensiveness against all
the post-launch signals that it's a mess.

~~~
c12
People who have bought into something will become more entrenched in their
views because doing otherwise will cause a "loss of face." It's understandable
really, nobody wants to admit to being duped.

~~~
Donzo
The desire to remain consistent with one's previously established positions is
one of the great psychological motivators:

[https://www.amazon.com/Influence-Psychology-Persuasion-
Busin...](https://www.amazon.com/Influence-Psychology-Persuasion-Business-
Essentials-ebook/dp/B002BD2UUC)

People will often act against their own best interests to do so.

------
ubidubbiiui
After +1 hour reading things start to be surreal.

IOTA team swapped their in-house hash algorithm "Curl" for their new in-house
hash algorithm "Kerl" in
[https://github.com/iotaledger/iri/commit/539e413352a77b1db20...](https://github.com/iotaledger/iri/commit/539e413352a77b1db2042f46887e41d558f575e5)
, while at the same day blogging about it and claiming their new in-house hash
algorithm is actually SHA-3: [https://blog.iota.org/upgrades-
updates-d12145e381eb](https://blog.iota.org/upgrades-updates-d12145e381eb)

> "Therefore we have made the simple decision to temporarily switch Curl with
> Keccak (SHA-3) for cryptographic signing in IOTA."

------
wbraun
The amount of brigading by IOTA community also shows how toxic it is. Just
look at the comments on the ieee article. Or the some of the tweets. They were
also spamming the /r/MIT subreddit about the DCI.

Just watching this all unfold is making me realize how toxic parts of the
cryptocurrency community is and it's making me really sad.

~~~
josephagoss
It's a wild west, we need a winter of sorts to destroy most of these projects.
If IOTA isn't secure it should fall sooner than later.

Hopefully what exists in several years time will be good technology, and
hopefully the scams have gone away.

I'd wager than marvels like Bitcoin and Ethereum will still be here.

------
lolc
> The researchers disclosed to IOTA that the hash function they were using,
> which was an in-house concotion called Curl, was broken.

Classy. Not only do they keep their cryptocoin proprietary, they did use a
proprietary hash function too.

I wanted to predict the inevitable fall of the currency but realized that the
enterprise might just turn into a bank. If they are the gatekeepers to every
transaction, they are already sort of a bank. An unregulated bank. With their
own bank notes.

~~~
weavie
Is there any (valid) reason why someone would want to use their own hash
function? Secure hash functions, as far as I am aware, are pretty established
and widely available and really easy to use..

~~~
once_inc
No. There is no valid reason to do so.

~~~
DyslexicAtheist
if you understand the Math and agree that whatever you do needs to go through
a proper peer review then why not. Saying "nobody may research the subject
because you'll fail" is bad science. If you work in this space, know your
Math, and don't rely on your _invention_ to be put into production this year
then why not study the problem space and innovate by following the established
best practices!?

Problems arise when someone thinks they should now turn this invention into a
money-cow or label it "proprietary magic" (under the pretext of protecting
IP/copyright).

~~~
akvadrako
_> if you understand the Math and agree that whatever you do needs to go
through a proper peer review then why not._

Because crypto is really hard and you can't prove your new algorithm is
secure. Only after being a popular high value target for years can you have
much trust in your new hash. Even SHA2 might have flaws nobody knows about -
that's the main purpose behind having SHA3 standardised - as a backup.¹

If you are not the designer of the algorithm it's even worse, because an
exploit could be put in intentionally by proper choice of constants which are
in some cases undetectable.

[1]
[https://security.stackexchange.com/questions/152360/should-w...](https://security.stackexchange.com/questions/152360/should-
we-be-using-sha3-2017)

------
ola
It still baffles me that the official response from the IOTA foundation is
that the vulnerability was inserted intentionally as copy-protection.

And even more baffling that their flagship partner Bosch does not seem to have
problem with this practice.

~~~
once_inc
I doubt that any of the decision makers at Bosch have enough theoretical
knowledge to be able to form any sort of opinion about it.

~~~
user5454
Well, as IOTA targets embedded devices (I guess the reason Bosch is
interested) they should have enough knowledge to form an opinion about
transaction sizes:

 _" transactions in IOTA are 10KB (in contrast, Bitcoin transactions are on
average 600B)"_ [1]

[https://medium.com/@neha/cryptographic-vulnerabilities-in-
io...](https://medium.com/@neha/cryptographic-vulnerabilities-in-
iota-9a6a9ddc4367)

------
chadbennett
I Abandoned IOTA months ago after looking at their Github issues page.
[https://github.com/iotaledger/wallet/issues](https://github.com/iotaledger/wallet/issues)

Great idea, just a little too early for massive adoption.

~~~
StavrosK
I abandoned it after hearing about the Curl debacle, and _trying_ to abandon
it (and selling all of my $100 worth of IOTA) just validated my decision. The
wallet couldn't show the right balance unless I "reattached" a bunch of times,
and, get this: In order to validate a monetary transaction, the wallet
_transmit zero-amount "validation" transactions that refer back to the
original one_, essentially validating itself. Such secure.

------
Legogris
I appreciate how the example collision (page 18 in the email dump) uses the
lyrics of "Push it to the limit" by David Hasselhoff. The number 9 seems to be
appearing a lot both in the collision raw text and previously when they refer
to the bleed. I guess it has something to do with the function being based on
trinary logic - could there be another flaw there related to this?

Also kind of amusing seeing the different sides of the IOTA team: Sergey is
antagonistic and difficult to communicate while David tries to smooth things
out and get everyone to play along nicely.

~~~
sdenton4
My favorite part was the IOTA folks insisting that their 'higher level'
protocol would fix all their rookie mistakes. (Yes! We intentionally built our
castle on quicksand! But look how hard the walls are!)

It's a great example of why you need to start from sound foundations.

~~~
user5454
My favorite part is that they don't seem to understand the concept of hash
collisions _at all!_ ( _" ONE collision, nah that's nothing"_ [1]) and when JP
Aumasson explains a possible attack the response is basically _" Who would do
such a thing?"_ [2]

[1]
[https://twitter.com/c___f___b/status/967511451442302976](https://twitter.com/c___f___b/status/967511451442302976)

[2]
[https://twitter.com/c___f___b/status/966315009071607809](https://twitter.com/c___f___b/status/966315009071607809)

------
thisisit
Irrespective of whether IOTA has issues or not their constant hostility is
surprising to say the least. If you run something in public domain there are
going to be people coming after you. And people need to learn to adapt which
IOTA is sorely lacking.

~~~
tarken
unless you can frame the narrative as the 'world vs us'. it works for musk
fans.

------
granaldo
Interesting that after much bad news on IOTA, the market is still pricing IOTA
well
[https://www.coingecko.com/en/price_charts/iota/usd](https://www.coingecko.com/en/price_charts/iota/usd)
market is ignorant, uninformed, or its all none total speculative

------
stef25
I'm baffled as to why an obviously intelligent bunch of people take to Twitter
to discuss this.

~~~
Freak_NL
To have an audience. They are using Twitter as a platform for a public debate
in lieu of an alternative.

------
jaythvv
Everything about this project is weird. I started looking into it since I do
IoT stuff and there was so much hype.

Then you find out about the curl issue. The unnecessary ternary. Read the
white paper and all issues with tip selection was "solved" with hand waving.
Then you find out it doesn't even have a client that works on a typical IoT
device... Reading the email chain made it ultimately clear: these people have
no idea what they're doing. They just threw a bunch of random ultra cool
sounding tech together ("post-quantum crypto", of course) and started hyping,
while the code never worked. Obvious scam.

------
cyphunk
Sergey appears to have attitude issues and the IOTA team have serious damage
control issues, but the MIT team also, maybe wisely, appear obstructive at
certain important points. In paticular the probability of attack in the wild
seems a valid question that was never dealt with by the MIT team? (Disclosure:
I'm not invested in IOTA one bit, nor is anyone I know)

What I witnessed after reading through all those letters is a common clash I
see over and over of two types of cryptanalysts: Those whose knowledge grew in
resource expansive environments (internet/cpu space) and those whose knowledge
grew in resource constrictive space (e.g. satellite broadcasting). In
particular they clash on the idea that there can ever be a valid use case for
a less-than perfect security schema, so-as-to provide certain desired resource
benefits, while still being sufficiently secure for a specific use case.

Cryptographers dance around who has perfect security at heart, never getting
down to the issue: that they disagree on necessary trade-offs. By the time
they do get to it, one will disengage entirely from conversation and assume
the other is just stupid. That has happened here (both sides I think). It's a
common outcome.

(Disclosures: I worked as a software+hardware reverse engineer, not
cryptographer, in the satellite TV space. So I'm not anything close to an
authority on the topic but was around these debates often.)

------
swarnie_
Still holding @ 2.23

Dealing with and accepting loss is actually quite difficult....

------
KasianFranks
Get your pitchforks out on crypto. Wrong side of history you are on.

------
mbgaxyz
IOTA co-founder, Sergey Ivancheglo aka Come-from-Beyond, has an open
invitation for cryptographers to discuss this issue on his blog:

"Intermediate summary of Heilman et al. claims about the security of a
previous version of IOTA signature scheme"

[https://medium.com/@comefrombeyond/intermediate-summary-
of-h...](https://medium.com/@comefrombeyond/intermediate-summary-of-heilman-
et-al-add87228efab)

~~~
TD-Linux
What is there even to discuss? The disclosures and email tell me everything I
wanted to know.

~~~
mbgaxyz
Where is the code which exploits the supposed vulnerability in IOTA?

After all, there are code samples available today which demonstrate the
SPECTRE and MELTDOWN attacks.

~~~
zaarn
There are explanations on how it works here
[[https://archive.is/6imWR](https://archive.is/6imWR)]
[[http://www.tangleblog.com/wp-
content/uploads/2018/02/letters...](http://www.tangleblog.com/wp-
content/uploads/2018/02/letters.pdf)]

You don't need code to prove that a vulnerability exists, it is sufficient,
especially for crypto primitives like hash functions or cipher rounds, that
there is a mathematical vulnerability that can be potentially exploited.

------
Alex3917
Somehow I doubt kind of people buying IOTA are going to abandon it just
because the core team is incompetent.

And to be honest they may be right. Because crypto offers instant liquidity,
unlike in venture the people who are going to make the most money aren't
necessarily going to be the best at picking the winners.

------
lucideer
IOTA has seemed questionable for quite a while, and I'd also urge people to
stay away from it, but is it just me or is Green's conduct here pretty out of
line?

He says:

> _If you want a postcard summary of why you should avoid the Iota project —
> with your brains and your money — this conversation is it._

but if you read the conversation he's referencing, he doesn't come off as
reasonable in it either.

~~~
abhv
I am a researcher in cryptography who just read the full email transcript
posted at [1]. I found Ethan and Neha's email responses to be patient and
sincere.

In contrast, the IOTA team members Sergey and David have no idea what they are
talking about. The IOTA constructions were broken, and instead of
understanding that, they made bogus points and tried to attack the four DCI
researchers in various ways.

In that context, I think Green's tweet represented a bit of frustration at the
way public rhetoric is being misused.

[1] [http://www.tangleblog.com/wp-
content/uploads/2018/02/letters...](http://www.tangleblog.com/wp-
content/uploads/2018/02/letters.pdf)

~~~
josephagoss
It doesn't surprise me that IOTA followers are toxic considering the founders
are toxic individuals. I find it interesting how IOTA founders are the
complete opposite of Satoshi and Vitalik.

~~~
ndury
I am an avid follower of the current crypto space and I cannot grasp how
unprofessional and immature the IOTA team handles their issues. It's almost as
if 75% of the crypto space as of late is ran by children/teenagers/adults
which cannot grasp the basic concepts of being civil to one another. This is
all very unfortunate for the overall growth and perceptions of the crypto
community as a whole

~~~
tarken
that's what happens to people when they feel like they're competing in a
closing-off market. want to see a similar level of people clawing at each
other's throats, being petty & antagonistic, competing for scraps? look no
further than the music industry, especially the amateur scenes. more beef than
an industrial cattle farm.

