A manufacturer may 'legitimately' establish an enclave in your most trusted hardware which you may not audit or even measure. And if that security model becomes commonplace, for example when only allowing Widevine DRM inside SGX, you eventually cannot use your self-chosen hardware, but will have to pick a feudal lord from a limited set of 'ecosystem choices'.
Also, the article mentions the de facto centralization of trust in the current cryptocurrency ecosystem - so pragmatically, it's not much better there. From centralized exchanges, to centralized mining cartels, what does something like Bitcoin have left to offer?
The Stellar Consensus Protocol, which MobileCoin say they're using, uses something more akin to a web of trust rather than proof-of-work. You do not need the SGX to get rid of proof-of-work.
Oh, dear lord.
> ultimately not as advanced as its younger brethren.
These must then be simply out of this world. Superwonder technologies. Double digit transactions per second!! /$
The hype around this piece of software is getting out of hand.
Said by a guy you just witness the historical invention of the wheel.
The wheel was, in fact, one of the first instances of a centralized structure replacing an inefficieint distributed structure.
The central "hub" of a wheel bears the load and the "edge condition" is the substantially reduced "rolling friction".
This is in contrast to ye old "distributed load" way of a zillion poor slaves pulling a load.
So as far as the "wheel" goes, VISA is a chariot, and Bitcoin is an army of slaves pulling a wheel-less load.
And in fact, the "facts", prove this. Almost 400 KWh per transaction, and that at the feeble rate of 7 tx/sec.
That is your "technological wonder".
"Technological wonder[s]" of this time -- now -- are Machine Learning, CRISPR, etc. These are the "inventions" to pay attention to, not a thinly disguised play by private wealth to finally fully take out the national governments from the monetary system loop.
That CJW -- Crypto Justice Warriors -- like you fail to see this is the actual "wonder".
About the wheel. Rolling friction is less than sliding friction... Regrettably that point is probably over your head.
+1 for your ad hom.
Or do you mean the revolutionary scamming techniques never seen before? /s
Before bitcoin you would be unable to create a virtual currency without a central authority. Satoshi's algorithm was a new invention in 2009, although it's parts - like proof of Work - were invented in 1990s.
Until that happens, there's still money to be made!
Not all ciphers... 3DES and GOST have no practical breaks after 40 years of cryptanalysis (all attacks have > 2^100 time or memory complexity)
Any secure modern 256 bit symmetric primitive is likely safe from large quantum computers.
What will continue to be be broken are encryption protocols and systems that misuse modern secure 256-bit primitives. So we will continue to see things like the BEAST attack because non-cryptographers continue to invent their own encryption protocols with alarming frequency.
In this case you only have one single point of failure: Intel. If that breaks, what then?
From a pure efficiency/centralization perspective, there are likely better cryptocurrencies out there. I think Ethereum's sharding network is interesting, too, and it seems to maintain a high-degree of decentralization, but I don't know how easy it will be to implement:
In that case, one might as well go with any of the permissioned blockchains (such as Interplanetary database where the nodes are run by reputed non-profits for a minimal fee).
I'd say you're being overdramatic here. Mining is still decentralised and if there are any mining cartels, they haven't abused their position yet. It's still possible to buy, sell and spend Bitcoin peer to peer as well.
Controlled by a handful of people is absolutely not decentralized.
They have abused their power. Ghash double spends. Segwit blocked for a year. Bitcoin cash proxy support.
Wait what, no.
Did you read about Ethereum's Casper and proof of stake? Or dpos - implemented in Eos et all?
> This means that the ledger is "public" and distributed to all MobileCoin nodes, but will also simultaneously never be accessible or viewable by humans (even the operators of the MobileCoin nodes) so long as SGX and the MobileCoin software
It seems unlikely to me that these two things things will remain the case.
> A client can perform remote attestation to its MobileCoin node before transmitting its keys into the remote enclave along with a short recovery PIN.
And it seems if SGX gets popped the whole thing comes crumbling down.
Quotes from https://www.mobilecoin.com/whitepaper-en.pdf
And to some degree, the success of Signal, or Signal's protocol as implemented widely used services in WhatsApp, supports his approach. If cypherpunk-purists had their way, encryption would still only be a thing exclusively used by a slim minority of nerds who are capable of managing PGP and all the complications that come with its fragile nature.
However I'm not really convinced Signal is all that secure in the Android ecosystem, and I trust Open Whisper Systems even less than bigger tech companies to not fold under pressure.
Bitcoin was designed to be as decentralised as possible. It turns out this has serious downsides and it’s difficult to pursue the sort of financial revolution it aspires to without social revolution.
This currency chooses different trade-offs which the creators believe will make it more popular because most people don’t need or want trustless transactions. People delegate power for finance, politics and computing not because they are stupid or serfs but because they are willing to sacrifice some autonomy for the speed, ease of use and enforceable contracts which come with a central authority.
I actually chose to refer to 'feudal security' as coined by Schneier (at least in the context of computer security), because it is such a compelling and balanced approach to the exact same trade-offs you're describing.
No, an argument is strong or weak regardless of whether you like the words used to express it.
As disappointing as it might be pure logic is rarely enough in the real world.
Amen. Too few projects have this focus.
Even if you do want to hold long term, you could just replenish what you spend along the way, if it weren't a tax reporting nightmare.
As an individual if you mine you have to record the value as it was at the time of mining if you buy you record it at the time of purchase and you pay capital gains if you exchange the crypto for fiat currency or goods or services directly on the difference between the values.
It gets more complicated since you can’t select an individual currency unit form your wallet but atm you are allowed to use creative accounting for that.
The fact that you have an allowance doesn’t mean it’s not taxed and if you have any substantial amount you’ll blow throgh that allowance pretty darn fast.
The same goes for many other assets you pay cgt only when the profit is realized.
* Capital gains in excess of £11,300
* Disposals (sales) in excess of £45,200
* Losses that you wish to claim
Worth noting e.g. if you receive stock under US company schemes and sell even if you have already been taxed on the gain versus FMV as income. You can be in a circumstance where the taxable gain is under the threshold but disposals are high.
The appropriate and interesting applications of crypto seem to be totally leaving p2p cash behind - it just doesn't seem like a good fit.
I do agree that crypto keeps drifting away from p2p cash ... that's a good observation. But I hope people keep shooting at that target.
Incorrect. Decentralization is always more expensive and slower than centralized system(both hypothetically optimal) due to extra sync cost.
I don't doubt Visa will continue to be used, but I imagine it will be for fraud protection rather than cost.
Not to mention since you can't really spend bitcoins you'll have to pay more for conversions to national currencies on both ends.
226 * 100 * 0.0000001 * $17761 = $4.01
With bitcoin, merchant you make payments to can potentially find your wealth, or another can deny transaction to you bwcause you donated somewhere.
These are not doomsday scenarios, this happens today and will happen more if we do not choose privacy.
I doubt one would get rich as Bitcoin creators, but one could still make a killing ....
Edit: And this stands to reason. We're relatively later in the game, and so new contributions are less fundamental by definition.
Because it defeats the point. There is no "coin" that will exponentially appreciate in value, making you a billionaire. There is also no centralisation, so you cannot be the owner of the payment system in the same way that Paypal or Visa are.
At best you can be the Linus Torvalds of your payment system non-profit. Which would be a good gig in itself. But that comes with lots of hard work, not the easy riches that you can do from some hype-pump-dump scam in less than 6 months.
If an instrument stores value, it's an asset, not currency. One can of course transact business with assets, but it's a lot more complicated because you have to agree to a valuation. And without a currency, how do you measure that?
Plus, the incentives for assets and currencies are opposed. Currency exists to be spent, but if an asset is appreciating, you'll want to hold it, not trade it.
Bitcoin was advertised as a currency but it's acting like an asset. (And it's regulated like an asset.)
If you create a new class of asset, you can buy in early, hold on, and get rich on appreciation.
But if you invent a new currency? It's like inventing the inch. Even if everyone uses it, that doesn't give you any more length of your own.
This is being solved by Shapeshift.io and XMR.to. I transact in cryptocurrency all the time using these intermediary services with BTC as the usual medium of exchange. It's opened my skeptical eyes about the future of how things will work.
And it still processes a Bitcoin transaction, correct? So it will be no faster than Bitcoin?
OK, that's fine, but services like that could - and will - get much friendlier. I'm just rebutting the quote which is the blanket "no one transacts in cryptocurrency" which is certainly not true for me, even though I felt that way just 2 months ago. Now that I am an active miner of various currencies, I find myself using it quite frequently for random goods/services, even though the plan was really just to convert it quickly into USD fiat to continue reinvesting into the mining operations or to pocket it.
Lightning Network has not launched, in the sense of, it is not being used by the community it was designed for. And it never will.
David Mazières’ paper displays strong insights and proofs into the structure of byzantine systems with open membership.
I wonder where the code for MobileCoin is, or when it will get open-sourced.
All GitHub yields currently is this clearly non-affiliated project: https://github.com/mobilecoind/mobilecoin.
Everyone can run a node, but the whole system is not itself decentralised, because you need "anchors", which are banks or payment processors, to get your money in and out of the system.
So then, what is the point of the decentralised ledger? GNU Taler seems like a more simple solution.
From the Stellar FAQ: "Lumens are the native asset of the Stellar network.
Native means that lumens are built into the network. Asset is how the network refers to an item of value that is stored on the ledger.
One lumen is a unit of digital currency, like a bitcoin.
While you can’t hold a lumen in your hand, they are essential to the Stellar network—they contribute to the ability to move money around the world and to conduct transactions between different currencies quickly and securely."
After reading up on Taler, it sounds like a very similar idea to Stellar, but Stellar removes some of the need for trusted authorities.
From the Taler overview: "The system requires an external auditor, such as a government-appointed financial regulatory body, to frequently verify the exchange's databases and check that its bank balance matches the total value of the remaining coins in circulation."
In Stellar, this service is provided by the ledger and the nodes that validate it.
There are other interesting features of the Stellar native currency such as providing a way to transparently convert between currencies when making a payment: https://www.stellar.org/how-it-works/stellar-basics/explaine...
You also need exchanges for cryptocurrency, so why not admit it from day one and build that concept into the system?
And maybe it's possible to graft a cryptocurrency onto SCP by using consensus to choose nodes which receive freshly "mined" currency.
 The mythical closed-loop Bitcoin economy ain't going to happen.
It's a lot more efficient than Bitcoin (no proof of work, it's just another consensus protocol), but the trade off is that 1) it doesn't have all the feel-good rampant libertarianism of completely untrusted decentralized consensus of Bitcoin 2) you have to pick a good set of trusted nodes and trust them all not to collude
(Ripple has other problems that skeeve me out, but after thinking about it federated consensus isn't one of them. I think a lot of altcoins are using federation, actually...)
Also not sure how I feel trusting the fate of a cryptocurrency to the strength of Intel's SGX.
Other than that, i very much share your concern..
I think that in reality, there will really be just a few nodes: Signal, WhatsApp and some bots/banks/businesses. The trust system in place is ideal for this.
> At install time, Alice's client performs remote attestation with its Mobile-Coin node, establishes a secure communication channel into the remote enclave, and transmits its keypair along with its recovery PIN.
I wonder if the Stellar network is "leakier" than a decentralized network would be, though.
I wouldn't call Monero "untraceable" even though I am a very big fan of XMR. It takes work to put a lot of steps between you and the payee at more levels than simply the transactional one.
>" 10. Bob has now successfully received a payment."
If I'm reading this correctly, Bob's client (e.g. mobile app) must be in contact with the node for his address to receive the payment. This is pretty different from what I think will be Mobilecoin's closest competitors (at least from a UX standpoint), Venmo, Google Wallet, etc.
DDOSing Bob's mobile device or otherwise preventing access to the node would, at least temporarily, prevent the transaction from going through. Are the funds in purgatory during that period? If that client never gets in contact with the node, does the transaction ever get reversed, allowing the sender to regain control of the funds?
There are probably a host of other repercussions I haven't thought through yet. The idea of a cryptocoin as easy to use as Venmo/Signal is definitely intriguing.
There will be Signal, WhatsApp, Messenger, etc. nodes and some small nodes for businesses, bots and similar.
Yes, theoretically, if you DDoSed Signal, then Bob wouldn't be able to get the coins.
2) Am I correct that if any vulnerability were found in the SGX, an attacker would gain access to the encrypted private keys that are stored on a server node and would just need to brute force the PIN?
Regarding the second point, since it's on the server, wouldn't a vulnerability just mean the server operator might potentially be able to get at the keys, not any random attacker?
For example, users control their own private keys and they're never exposed to a node, so I'm not sure why the whitepaper mentions storing private keys in the SGX. Perhaps they're going to host wallets for a user and store all keys in the SGX?
I'll be very interested in more details about this project since it doesn't appear to use the Stellar network, only the consensus protocol.
But the article describes his involvement as "Marlinspike has been working on as a technical advisor."
Those two descriptions sound different.
I assume this is another early adopter, mining platform....
Nobody's decided to solve that rather fatal flaw.
I'm not convinced that Stellar consensus here is the right algorithm for doing this, but I think SGX is promising technology that has been somewhat overlooked in the blockchain space (not by everyone.) SGX has a lot of potential. You can use SGX as a way to expand the consensus rules of any blockchain by using it as a blackbox obfuscation construct. Everything and more that Vitalik wrote in his article about Indistinguishability Obfuscation is possible with SGX today.
Want to create a specialized oracle that only signs certain transaction formats, even on untrusted hosts? Yep - use SGX. Now you can have agents that run in a cluster that will only move assets between blockchains based on a user's prior agreements, allowing for more complex cross-blockchain smart contracts to be written in high-level languages. What about having a nice way to do transaction commitments to scale any blockchain without having GB zero-knowledge proofs? SGX again. It could be used for privacy preserving protocols... It could be used for solving data availability problems in sharding / decentralized storage systems. The list goes on.
Some of the biggest trust problems are solvable with this technology - but like others have already said - you still have to trust the hardware manufacturer. In this case, my thoughts are that you already have to trust the hardware manufacturer anyway (nobody is going to inspect every chip with an electron microscope...) My bet is that a non-trivial portion of full nodes today are already running chips with backdoors like the Intel Management Engine anyway...
The point here is that you can't fully remove trust from any system without introducing vast inefficiencies, but you can at least formalize the risks in a system and design so that a compromise is too expensive to be worthwhile, and for me I think that's where the potential lies with this tech. Cryptoeconomic systems based on tamper-proof hardware where individually a component may be compromised, but where it is simply infeasible to compromise each and every device. You build a network out of these components and you have yourself the first on-chain scalable blockchain bound by physical hardware encumberments instead of computational difficulty.
Ultimately DirecTV was able to kill pay TV hacking by simply introducing a new generation of cards that were better protected, the P4 series iirc. Other pay TV firms invested less and were mostly undermined by just one guy (Tarnovsky) - not exactly an army of reverse engineers.
The weak points in SGX security aren't the electronics themselves. So far all attacks on it are side channel based.
Still, the analogy applies because the stakes with a cryptocurrency that depends on transistor security become a much more interesting target then the, now boring++, paytv market. It should not be assumed that any secrets will stay inside of that secure enclave, at all.
++it's boring to hack paytv because streaming, downloads and card sharing removed a large bulk share of the need
But Moxie Marlinspike though...
But with Stellar or something based on its consensus protocol, you can run your own node if you want, or more likely, a bunch of public nodes can exist and you can pick the one you trust to work with. For example, if banks decide to start working with MobileCoin, then Chase could offer a node and, as a Chase customer, you could decide to trust their node (since you already trust them to manage your money) and use that one.
Still not getting it. If I don't trust CoinBase, I can go to any other online wallet that manages my private keys. With some effort, I can even start one myself. If Chase is running such a wallet, I can use them.
How is a decentralized protocol not a superset of a "federated" one?
What does HN say? Do we trust Intel (motivation and implementation) that much?
Intel's implementation is considerably worse than that. Even if you assume the hardware itself isn't compromised, every remote attestation has to go through the "Intel Attestation Service" which has no end-to-end protection. The IAS is what actually validates the enclave's signature, and it returns a "success" or "failure" message which is signed with an Intel key. But there's absolutely no technical measure that prevents Intel from being compelled to sign a falsified response; a client would have no way of telling the difference.
This is documented by Intel  and I'm hardly the first to notice it  but people still seem to talk about SGX as if compromising it is equivalent to backdooring the CPU, which is inaccurate.
It's also worth noting that SGX can run in two modes. There's "debug mode", which provides absolutely no security because a debugger has complete access to the state of the enclave. And then there's "release mode", which requires a key that you can only obtain by signing a commercial agreement and NDA with Intel.
That's shady af.
I've met some of the people working on this at Intel and I do have confidence that this isn't some conspiracy, I do think they have the intention of improving the crypto space with projects like this.
Adapt or die
Moxie has good ideas, but SGX is a trap and he fell into it.
I was given 6000 XLM and I left it in their official wallet for years. On May 12th, 2017 I wrote them an email asking why my wallet, now converted to some newer official wallet, was empty. I did not receive a reply for 2 months, at which point I followed up and received a reply within a day, which was:
"I have investigated your account and it looks like an account merge operation occurred some time ago merging your lumens with another account. If you did not commit this action, it could be possible that someone was able to obtain your account information.
You can see the merge operation here:
Unfortunately there is nothing we can do to retrieve your lumens at this point.
Apologies we cannot be of further help."
I have pretty damn good security of my various accounts using hardware 2FA and such, and I also transact in cryptocurrency and have wallets with far more fiat value in them than 6000 XLM had at the time ($120-150 USD if I recall), with absolutely no issue - and I hadn't even logged into their official wallet. The developers were 100% quick to blame this merge on me. I replied with a flat: "I highly doubt you are correct that it is my fault" email and it went back and forth with them asking the basic "well, did you get spearphished somehow" as if anyone even knew what XLM were or cared.
The process dragged on for a month while I bothered people in their Slack channel since email communication dropped out and they finally came back with:
"Our team has investigated and checked for multiple different types of issues and have not found anything on our end that shows any type of security compromise in our system.
Unfortunately this means at this moment I do not have a concrete answer to how your account was compromised. I’ll follow up again to check if there is anything on your end they would recommend you do."
I investigated on my own and found a number of accounts who were "hacked" and sent XLM coins to the wallet that I had merged with, all that just kind of sat there, indicating a software error on their end of a bunch of accounts that were randomly emptied. I provided all documentation to their team and spent a solid 15-20 hours doing so.
Their response to all of this bug bounty-type work?
"They have identified one potential issue in the past that affected only a small number of accounts, possibly yours. This bug was fixed once discovered back in 2014, but users who may have been vulnerable to the bug were still impacted during the upgrade process to the new network even after it was resolved.
Although we think this was the cause of what happened, we cannot be 100% sure if this was what impacted your account considering you had a strong password and none of your other accounts were compromised."
"Although we cannot recover you original lumens from your account, we’d like to award you 3000 lumens as part of our Bug Bounty Program because you have helped us in identifying a possible issue that happened in the past."
So they basically gave me half the XLM back instead of the full amount despite it being entirely their fault and them having no idea how to investigate while I exposed a serious flaw in how XLM were assigned and paid to their wallets, all while blaming me the entire time and with atrociously slow customer response times.
Forgive me if I'm not the biggest XLM/Stellar Lumens fan; their team is both terrible at support and suggests that at least their frontline investigators are technically incompetent since they couldn't figure out the merge situation before I did with simple API poking around and enumerating.
I think it is easy for nearly all of us to agree the most likely cause of your own issues is operator error. Now that the price is shooting up on these coins, it's not rational to expect STR to chase down every 6K STR givaway grievance that they receive.
Seems exceptionally unlikely given the number of upvotes I have and the work that I did tracking it down. It is very likely their fault and/or a software bug.
Aside from the fact that this is a terrible line of argumentation ("Person A gave you $100 and then Person B later stole it out of your house, what's your problem with that?"), that is not the point of my comment at all. I suggest you read a bit more specifically in regards to service, transactional security, and the fact that the coin is federated and not decentralized.
Stellar not being decentralised, even 90% of nodes are not run by the SDF, makes it somehow unsecure? If you have some specific complaint about the security point it out, instead you are just ranting on an anecdote.
I did, in the post. I'm not sure why you are making a big deal about the money I lost. I am certainly not. It is about the mechanism by which it happened and how they didn't take it very seriously.
EDIT: I am also not even sure to this day what the value of XLM is, and don't particularly care. I gather from your post that it has gone up. Congratulations. I think XLM's architecture and use case makes a lot of sense. I also think their developers and support team are quite poor. That is the intent of my post.
Specifically this claim
"In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes."
It's run by SETS of trusted third parties, where each individual node specifies what set of nodes it trusts to not collude against it.
You don't need any ones permission to run a node, but it is up to other nodes if they want to trust you
This isn't just theoretical either. Stellar has co-authored a paper arguing for regulations against anonymous cryptocurrencies:
It's clear that it's positioning itself as a gatekeeper-based ledger that stays on the good side of regulatory agencies.
Edit: You could still check the signatures signed by the trusted Intel CPUs on your ARM device of course, but any mining would have to happen on a SGX-enabled Intel CPU. (Or anything else with Intel's private key.)
Binding yourself to an implementation like this seems like mega big centralization. There's several decentralized coins that could solve some of these same problems.
on a side rant: So...many...coins...I too have something called BrowserCoin.com but still haven't figured out what problems to solve. Too many people just go implement a pseudo-academic blockchain tech with fancy dials without vetting the problem....virtually zero adoption other than from pumpers and owner...that is something I'd like to avoid altogether, for once some cryptocurrency based business that delivers and benefits people who don't need to expensive rigs to mine or jack resources (browser based blockchains etc).