It is a great example of someone (the "expert") convincing a non-technical person that they are the "ninja rockstar 11x post-quantum hash function expert".
I've seen this many times. Managers / owners don't have ability to assess who is an expert and who isn't. So whoever talks more convincingly is the "ninja rockstar". After that they can do no wrong. Also after that somehow admitting publicly that the person they picked is a scam artist becomes pretty hard, because it also means admitting to their own mistake of believing them.
Others who see what's going on, leave and this this eventually leads to the whole ship sinking.
Oh and accusations of drunkenness of course, those are always so constructive and helpful.
Is there a modern secure hash function considered to be under threat from quantum computing? I was under the impression there isnt one.
It's scary to see marketing spiels thrown into technical discussions, it's even worse when the thread is released as some sort of defense and those less informed see the big words and appeal-to-authority name dropping.
I am seeing that a lot right now in public services (I entered a year and a half ago). I am looking at decade-old project going nowhere and managers trying to plug it into anything that would justify its existence (poisonning other agencies in the process).
> Others who see what's going on, leave and this this eventually leads to the whole ship sinking.
It's hilarious that he thought that would work with a security researcher at MIT.
> We were just reached out to
by a CoinDesk journalist that Ethan contacted in an attempt to rush out this publication.
This may be the biggest scandal I have ever heard of from what has been portrayed as
a professional 'responsible disclosure'. Ethan is clearly in complete conflict of interest
and pushing this for his own gain, this is no longer about academic merits, but a
desperate attempt by Ethan to make money.
I can be wrong but the suggestion here seems to be that Coindesk journalist reaching out to the Iota team was a ploy to force them to pay a bounty.
But, after devolving into a personal attack. They expect him to reply back a month later?
> Hi Ethan, I can't get a single reply from you, looks like you put me on ignore on Twitter.
This whole saga seems to be symptomatic of the cryptocurrency scene. Lot of expertise on money, economics, cryptography, programming language etc is out there. But, any criticism of cryptocurrency devolves into either personal attacks or a know-all attitude which ensures not many people want to lend their expertise.
Edit: After re-reading the blog post, I realized the agenda of this leak was to show evidence of conflict of interest. The correct link for the post should have been:
The lab director should have handled all communications.
Haha this is a wonderful suggestion. "If you weirdos think ternary arithmetic has any benefits, just combine it with a crypto primitive you didn't handroll, ya dingus"
And then they say it's okay because of "higher level checks" that a colliding transaction wouldn't validate, so then when one is demonstrated, they say "it's okay because we'd just decide to reject the bad one even if the hash is the same" and the final defense is "something something distributed ledgers Satoshi"
I'm not sure how this was meant to "expose" MIT or be pro-IOTA in any way.
If you post something negative about IOTA you're likely to get a bunch of troll responses from accounts with histories of nothing but IOTA-related likes, retweets, and responses.
it would all be solved forever and anon with a paywall. 5 mao men, botheads, shilling, you would raise the cost to them by orders of magnitude (stealing other people's credit card numbers cost real money)
The conclusions on HN are (so far) completely at odds from those on the cryptocurrency subreddit: https://www.reddit.com/r/CryptoCurrency/comments/7zztey/full...
Meanwhile the commercial world seems happy to engage with IOTA:
"Volkswagen CDO will join the supervisory board of the IOTA foundation. And now, Volkswagen is going to utilise this technology in their automobiles." -- https://coingape.com/iota-volkswagen-partnership-raises-hope...
"Bosch makes first investment in distributed ledger technology, purchase of IOTA tokens to support creation of new business models for the Internet of Things" -- http://www.bosch-presse.de/pressportal/de/en/robert-bosch-ve...
"Taiwan's capital city of Taipei is working with the IOTA Foundation to bring Tangle - IOTA's answer to blockchain - to its citizen identification plans." -- https://www.coindesk.com/city-of-taipei-confirms-its-testing...
So what to make of all this?
I've taken some cryptography classes and a graduate level cryptanalysis course, and I could immediately tell that the people on the iota side clearly don't know what they're doing. For example, this should trip anyone's bullshit detector:
"IOTA was created to be immune to quantum computer attacks, today I have revealed that it was also created to be immune to attacks from an AI"
The biggest problem is that it just makes no sense. It's not going to be decentralized & secure at the same time. It's LESS efficient than blockchain in every way. It's bad for IoT. It doesn't have any of fancy features like Ethereum.
Crypto issues is just an icing on a cake. They can change crypto functions, but they can't change the fact that coin is the worst choice for IoT (or pretty much anything).
The only selling point is that it's fee-less. But it's possible to make a centralized fee-less coin which would be much more secure and useful than IOTA.
Germany is lacking behind in tech, and the country is putting lots of bets to their car industry, the Volkswagen scandal not helping there. Now there is this new thing called cryptocurrency and one of them comes from Berlin. I don't know is it just me, but it's not that hard to start speculating why these big German companies want to announce themselves to be working with a Germany-based cryptocurrency.
Cars aren't everything.
IOTA are rolling their own cryptography which immediately makes me run the other way. At least until I see some respected peer review that it's sound. This exchange makes me think that unlikely at best.
Don't buy a Volkswagen until they have run the other way!
Most of the posts there are ways of confirmation biases - it's very difficult to get someone to see what they don't want to see in his/her cryptocurrency.
There are certain coins that are exceptionally polarizing (Ripple and IOTA come to mind) - it leads to this my coin vs your coin behavior. It's so fascinating, yet odd at the same time.
I read about 3/4 of the emails before coming to the conclusion I had no idea what was going on.
(I do think there are cryptocurrencies worth a bet in the long term, if you can afford to take a chance. Better to start with basics like the Princeton course and form your own judgements.)
Also, it seems logical at this point to disregard anything coming out of the cryptocurrency subreddits. They drink their own Kool-Aid.
[Edit to add this plug for Zcash! Made with real cryptographers]
A major wake-up call for me in the crypto currency world was
Gavin Andresen's ludicrous "validation" of Colin Wright as Satoshi.
When a so-called leader clearly does not even understand the basics you realise it's 98% shit. Sturgeon's law applies again. But I keep on forgetting that.
No, for the past half a year or so I've been trying to learn all I can about market microstructure, quantitative finance, anything that makes money off of high variance.
Because if there's one thing I will bet on, it's that there's a ton of risk and volatility here in these hills, and there's probably money to be made somehow while it all crashes and burns.
Then there's the second level bait - since there are all these suckers out there, surely money can be made by predicting them!
And then it's turtles all the way down. You won't know if you're a sucker or at the very top level until it all comes crashing down.
> But critics called Dr Wright's claim into doubt when it emerged that part of the evidence the entrepreneur presented in public could have been generated using a string of digits linked to a seven-year-old transaction made by Satoshi, accessible via a search engine.
"It was a mistake to agree to publish my post before I saw his - I assumed his post would simply be a signed message anybody could easily verify," Mr Andresen told security researcher Dan Kaminsky when he challenged the scientist over the matter.
I'm out of the loop; do you have any good summaries of this incident?
I read through the whole exchange and kept thinking "How are they managing to be so polite, to these rank amateurs who show no respect?" I probably would have informed them of the flaw, informed them when I was publishing, informed of a suggested fix then piped all the rest to /dev/null.
I also positively love the use of "push it to the limit".
"Can you explain to me what you think I did wrong in my program? I can assure you everything is correct. Otherwise you're clearly drunk and out to get me."
> Did you receive the invite? We can also setup a chat with our ex-NSA post-Quantum hash function experts after we get the initial confusion out of the way.
hahahaha fuck me, this is good stuff.
Neha's "I'm going to stop responding now." should have come much earlier.
Which is the real "yowza" imho.
Being in the green just means you’ve convinced a critical mass of greedy, ignorant people that you’re a winner.
Let your fingers do the walking.
> I read the emails and it seems to me that Ethan doesnt understand what theyve done in IOTA or has very different way of interpretting what they have done aka hes trained by a textbook and if you deviate from textbook its wrong bla bla. I think come_from_behind is and will continue to run laps around these University morons
That is a cringe worthy statement by someone doing a cryptographic decentralized project. The whole conversation is a trainwreck. :/
> In this case you are right, second-preimage resistance is an anti-feature, collision resistance threat is nullified by Coordinator while allows us to easily attack scam-driven copycats. (pg. 24)
The Coordinator referenced is a validation node ran by the IOTA team which currently processes all transactions.
The whole narrative from the start has been decentralized cryptocurrencies; but IOTA it seems is neither decentralized nor a currency backed by secure cryptography.
> I am shocked that you would call a hash function deployed in production, with "a 800 million dollar bug bounty" as Dominik put it, a prototype.
I see Greek wasn’t your favorite subject in school :), don’t worry, word “prototype” is similar to https://en.wikipedia.org/wiki/Prototype_pattern, not to what you thought about. It is also important to keep in mind that all distributed ledgers are currently in a “prototype phase“.
Just my two cents. Most of this is over my head as I'm not by any means a cryptography expert.
Prof: I've noticed that you're using a non-standard brakepad material, which functions very poorly for stopping the motion of the car. You should fix this.
Startup: That's fine, these peels are organic and eco friendly, and they're safe because I modelled them in the same shape and size as normal brake pads.
It’s a fun read and you’ll probably end up unimpressed to say the least.
It is from the same author
Doing research into things, publishing results, and shorting is perfectly legitimate. It's how Lumber Liquidators was found to be using formaldehyde. Just because someone says something you don't like, and they have a short position in the thing, doesn't mean they are wrong.
The whole thing started with someone finding something wrong with the 'Curl' wrapper around a packet that's being sent from A->B. Apparently, this violates a EU-CMA security protocol, and this is an issue. Lots of holes in my knowledge there, but I got the jist.
What I don't get, is HOW this became a bipartisan issue with HN/Reddit. Because if you read the 124 pages, it becomes clear that both the IOTA team, as well as the MIT team were bad at communicating with each other, the purpose of this bad communication is unknown, but both are at fault.
So we at HN look at some emails from IOTA and call out their unprofessional behavior, and Reddit does the same thing with MIT's team.
What if someone has no perspective of how these communications usually take place? It looks like (upon the assumption that IOTA's team member was indeed in an 'incomprehensible' state when he typed that email out) MIT's team member without a second warning, just went ahead with publishing the paper.
So what's the big mess? It's pretty clear that both parties messed by being sloppy at emailing each other.
I think there was some disbelief that a team with so much money could have made such an incredibly rookie mistake.
From my PoV there seems to be little-to-no miscommunication in bad faith on the part of the MIT researchers in these emails, but a lot of dismissiveness from the IOTA developers towards the concerns that were brought to them.
Over the past few days, it seems to have only gotten worse on Twitter (I encourage you to check out the recent threads in which @matthew_d_green engages with @c___f___b only to be accused of professional incompetence).
tl;dr (from my perspective) is that the big mess here comes from a party without proper education in the field producing a $1B+ market cap cryptocurrency while _unnecessarily rolling their own crypto primitives_, and then steadfastly ignoring the suggestions academics who have spent their entire lives researching this field.
a) there's nothing broken in the Zcash cryptography. Some cryptographic assumptions used by SNARKs are a bit hairy and novel, but these assumptions, and variants there-of, haven't been broken in over 25 years of trying.
b) State-of-the-art efficient SNARKs require trusted setup, but this can be distributed, as was done with Zcash and will be done, in a better way, in the next Zcash upgrade.
c) CFB called Aumasson's methods 'primitive'. Hardly polite, especially considering Aumasson is co-creator of solid hash functions like Blake2.
-No one but the participants should trust a trusted setup, and even then, it's only if they can vouch for their OPSEC.
- B goes to my point that Green is inept as that should have been where they started.
- And they were cordial after they talked through the issues and Aumasson reliezed CFB's point (also, appeal to authority backfires when the authority agrees with the person you are criticizing).
Spend less time worrying about what I'm doing elsewhere and more on the argument in front of you. But it does seem fitting that you are supporting a dev who shows more concern for what others are doing than the product he helped drive into the ground.
I think we've all worked with a Sergey in our careers so far. And most of us end up doing what Ethan did.
A more general point is that you should never roll your own crypto and if you must then it should be submitted for peer review by cryptographers before using it in a security critical application.
I know this is a pretty standard way to carry a technical conversation in the crypto community, but this is a pure and unadulterated argument from authority. I don't think other fields of computer science get away with this bullshit (you can't invent anything new unless you get a blessing from "the community").
When you’re working on something where “works great” and “completely broken” are almost indistinguishable, the only way to even have a hope of avoiding the second one is by having a lot of smart people bang on it for a long time.
Furthermore, assuming certain properties are satisfied by SHA2, we can order that different constructions based on it (eg a Merkle tree) are secure.
Cryptography is highly mathematical.
Under very carefully chosen assumptions, which may or may not be true (hello Random Oracle). But this is a very flimsy sort of proof.
My central point is that statistical tests are not in anyway sufficient for showing the security of a cryptographic hash function since it is easy to create a hash function that passes them and is broken. My evidence was the SHA-3 competition.
Why go through the trouble of creating a pdf from different emails (he calls "letters") when he could just save the messages verbatim as plain text incl timestamps & other metadata. Some of the justifications for creating a homebrew-crypto says a lot. This sure is nonsense.
That says it all.
It is interesting if you find cryptocurrencies interesting, as it shows how "well" run many are - and IOTA is by no means an outlier here. The foundations are simply not lousy with cryptography, programming and economics experts who are solely interested in best practices.
Pardon my ignorance but I am confused with engagement of MIT Media lab in this. Was it volunteer or there was some formal engagement between IOTA foundation and MIT Media lab?
I mean what did you expect from a weird shitcoin that uses trinary arithmetic (really?) for no good reason.
edit: letter #11 says "shit's fucked, yo".
You should start reading at #76. It is a fast read.
But for the love of god man, /never invent your own crypto/
The market can remain irrational longer than you can remain solvent. Be content to eat popcorn and wait.
Now, full disclosure, I'm not entirely sure I believe in this, I'm just citing sources but check these out:
Also, Don Knuth likes balanced ternary, and, well, I guess that counts for something.
(again, personally I have no idea if I think it's nonsense or not)
However there are places where we look beyond binary; most notably in storage where data density is job one. The vast majority of FLASH is using MLC (4-values) or TLC (8-values) which need heroic circuits to recover the data. But note, these are 2^2 and 2^3, still binary based.
That's a contradictory statement. If it was as efficient as claimed it wouldn't be bollocks. But it isn't, thus, bollocks.
"(with a split power supply - positive, negative and ground) would have the same noise immunity as binary."
I'm not a EE, but my understanding from EE friends is that isn't true.
Only if you increase the supply voltage such that:
V+tern - GNDtern == V+bin - GNDbin == GNDtern - V-tern
IOTA: Can you look into our laundry detergent product and review it's safety?
DCI: Sure. We've got some accomplished chemists that will do a careful review.
IOTA: Cool, let us know what you find.
DCI: Uh oh, it looks like we found a critical problem with your detergent. We tested the product and it seems to have poisonous properties.
IOTA: How did that happen? Did someone accidentally ingest it?
DCI: Can you prove that your laundry detergent pods are safe when ingested?
IOTA: Don't ingest them. Use them to do laundry.
DCI: I see, so you don't deny that they are unsafe for consumption?
IOTA: I don't understand. Why would you try to eat them? Our instructions clearly say that's not what they are for.
DCI: Look, we have a lot of experience with chemicals. Every chemist out there will tell you that these ingredients are unsafe for consumption. Ask for a second opinion if you like.
IOTA: Ok but can you show that they are unsafe to use for laundry?
DCI: We'll let everyone know that this laundry detergent is unsafe.
IOTA: Wait, can you also tell everyone that they shouldn't eat them?
IOTA: Did you just publish?
In this case, the `curl` function is not being used as a hash function, but a different type of mapping. Unfortunately, that mapping is supposed to be psuedo-random and now it is known that it is not.
(You need x, and an attack doesn't need to be polynomial to break the hash function; it just needs to be fast enough, considering constant factors, to fit within some plausible attacker's computational resources.)