

Introducing Stellar: a decentralized protocol for sending and receiving money - polymathist
https://www.stellar.org/blog/introducing-stellar/

======
AlyssaRowan
>Facebook

Ha ha ha. No.

The rest of it looks interesting, however.

~~~
joyce
Hi from Stellar. I know FB isn't the ideal login method. But our goals were to
provide easy access to people and to have a method to detect spam accounts.
Today is our first day out. We will be releasing other ways to claim soon so I
hope you check back. Thanks.

~~~
hyh1048576
You are leaving the Chinese users behind. They contribute to 50% of Ripple's
traffic.

~~~
gdb
We definitely want to expand beyond Facebook for distribution as quickly we
can. We'd love to hear — do you have any suggestions for the best way of doing
distribution within China?

~~~
hyh1048576
Well if you (via Stripe) cooperate with Alipay do a giveaway via them.

------
lbotos
My account password recovery "token" was sent via email. I thought that was a
no-no wrt security.

Edit: This was the text below the token:

Keep this code SAFE. Anyone with this code and your username can gain access
to your account. If you lose both your password and your recovery code, you
will lose access to your funds so be safe!

~~~
opendais
Ya, that was a bad idea on their part.

------
napoleond
This is _extremely_ cool; I started putting together some of the same pieces
after Stripe's blog post last week ([https://stripe.com/blog/bitcoin-the-
stripe-perspective](https://stripe.com/blog/bitcoin-the-stripe-perspective))
and figured it was only a matter of time before something was launched. I'm
glad it's open source and not for profit.

I do have a few concerns, though. Some of them require a bit more digestion so
I won't comment on those here, but one that I'm sure about: _WTF is the
reference client written in browser JS??_ It doesn't make any sense, for all
the same reasons as the last time someone dragged out that dead horse.

~~~
gdb
The reference client being in-browser is a very deliberate choice: most users
aren't going to download a client to play around with a new currency. It's
certainly our hope that people will start building non-browser clients, and
because everything is open-source and available it should be easy to do so.

As soon as you're in-browser, you have a choice: do it server-side, which
means you have access to people's funds (at least while they're logged in), or
do it via client-side JS, in which case you don't. The choice there for
Stellar ended up being pretty straightforward, though the simple
implementation leads to some UX surprises such as:
[https://www.stellar.org/faq/#_Why_do_I_need_to_authenticate_...](https://www.stellar.org/faq/#_Why_do_I_need_to_authenticate_with_Facebook_to_receive_my_stellars_).

~~~
napoleond
_> or do it via client-side JS, in which case you don't._

Of course you do, it just takes a teeny bit more work--you swap the contents
of crypto.js with the contents of malicious-crypto.js. The threat model is
exactly the same (users either trust the server or they don't) but the browser
crypto option adds a layer of (respectfully, because I know you're a very
intelligent person who means well) bullshit.

~~~
gdb
Ah, so certainly malicious JS code could misbehave and gain access to your
account. But this is true also for someone publishing a desktop client — in
practice, people aren't going to check the code going into each release, any
more than they're going to inspect the JS running on their page before
entering the password.

I think the question of where your password _by design_ will go is very
important. If it's transiting the server, suddenly there's a lot more surface
area to worry about. Logfiles, databases, and the like suddenly can be called
into scope, and an attacker might be able to steal credentials even without
being able to substitute out code.

In any case, the great thing about an open ecosystem is that, if you don't
like the choices someone else has made, you are more than welcome to make your
own implementation with choices you prefer!

------
forgotpasswd3x
Disappointed that I have to sign in with facebook to receive stellars.

~~~
joyce
I am one of the folks working at Stellar. Yes, FB isn't a login method that
will work for everyone. But today is our first day saying hello to the world;
we do plan on adding more methods soon. Thanks.

~~~
ryan-c
A few suggestions (which would probably need to be limited to over X age):

* Google accounts

* Github accounts

* Twitter accounts

* bitcoin-otc accounts (probably with a minimum reputation)

* GPG keys with some minimum threshold of age and "signedness"

* S/MIME certificates from issuers that verify government ID.

I'm guessing the difficulty with supporting multiple methods is a desire to
limit this to 5k/person. I'm not sure there's a good solution to this, though
I will say that you may have just added some additional incentive to steal
Facebook credentials.

------
polymathist
It seems that this is the "secret bitcoin project" that Jed McCaleb (formerly
of Ripple) has been working on. Very interesting.

~~~
danneu
It's his next pump and dump.

[https://xrptalk.org/topic/2629-selling-my-
xrp/](https://xrptalk.org/topic/2629-selling-my-xrp/)

~~~
hackerweb
Long pump, though. The founders can't sell for 5 years.

[https://www.stellar.org/about/mandate/#Stellar_distribution](https://www.stellar.org/about/mandate/#Stellar_distribution)

------
ISL
The sign-in process creates an unfunded wallet. Facebook login is required to
receive 5k free Stellars (5k is 5 x 10^-8 of the available supply).

Cool idea. The idea of a distributed exchange is interesting.

------
gabemart
>Your Facebook account is too new to qualify. Stay tuned for new ways to grab
stellars.

I've had my facebook account for something like 8 years. Oh well.

------
polymathist
See the announcement from Stripe:
[https://stripe.com/blog/stellar](https://stripe.com/blog/stellar) and the HN
thread for the Stripe announcement:
[https://news.ycombinator.com/item?id=8114901](https://news.ycombinator.com/item?id=8114901).
Stripe invested in Stellar and the CEO of Stripe is on their board.

------
tzaman
Interesting project, I only wish I'd understand the mechanics behind it (apart
from what the site tells me). Hopefully there will be layman's video
explanation about it.

On another notice, this is one of the situations where it makes a lot of sense
to register a simple username _just in case_ , so I don't regret it later
where the only available are longer ones :)

------
jontro
Where do they explain the concept of what a stellar is used for? I assume you
would convert other currencies to stellars but I cannot find that detailed

------
gaelow
"A decentralized protocol for sending and receiving money": How is this news,
exactly?

~~~
gaelow
Or, just rephrasing:

Decentralized as in bitcoin, where proofs of work confirm transactions? That
is not news, since 6 years ago.

Decentralized as in any other electronic transfer system, where you trust a
few nodes to confirm the transaction? "Each node in the network communicates
with a set of other nodes that it believes will not collude (such as nodes run
by universities, governments, and companies)" That is not news, it's from
decades ago. (Some people even tried to put a patent on it, like 15 years ago:
[http://www.google.com/patents/US6173272](http://www.google.com/patents/US6173272))

------
mastermojo
can anyone briefly explain the difference between this and something like
ripple?

