Search Mailing List Archives
[liberationtech] Tool so people might stop doing crazy things with their bitcoins (and stop being robbed)
thomas at epistulae.net
Sun Jan 28 07:53:16 PST 2018
On 01/28/2018 06:22 AM, Aymeric Vitte wrote:
> People don't estimate the effort to do such tool, which is not
> trivial at all given the over complexification of bitcoin stuff, and
> are trying to cheat modifying the code to remove the fees (which is a
> bit crazy for such a module and could just result for them to send
> their coins to some wrong places or have them locked somewhere)
And so your solution is not to prevent the 'cheating' but instead to
hide it, wave your hands and say "these are not the droids you are
looking for, move along"?
If that is the case, I have a hard time understanding what your
value-add is, because your solution has a hard-embedded way to cheat,
that is fundamental to its operation.
Security through obscurity only works for an ever diminishing time.
> I think it's useless to restart an "open source vs not open source"
> discussion, open source does not mean secure and easy to audit (try
> for example to audit the bitcoin core source code and all
> dependencies), the only thing that matters is that the code is
> provided and can be checked, which is the case
It is most certainly *not* useless to restart this discussion because
people still don't "get it". People need to be told about it over and
over again as demonstrated again right here.
The fact that neither you nor I are knowledgeable enough to be auditing
the BitCoin core source code is not important; what is more important is
that someone who /is/ capable, has the ability, means and access to do
so: light works as a disinfectant and your choice to hide from the light
speaks for itself.
Sadly, you also chose to keep something related to crypto (generation of
hashes) in an inaccessible state. If anything, this is the part that
should be made most easy to audit to those with expertise in that area
since it is the thing that will provide 'trust' to your system. Since
you're dealing with money, I'm pretty convinced that it is incredibly
important to you that people trust your implementation.
Keeping a part, crucial to said trust, inaccessible is a big red flag to
me because chances are, you're rolling your own crypto/hashing. And as
we all (should) know: unless you are or have a team cryptographers that
do this for a living, rolling your own encryption will result in enCRAPtion.
If you're not rolling your own and are using a standard, then why not
make that easy to figure out and audit?
Are you or do you employ one or more cryptographers?
> In the first versions we stated something like "Should this project
> be funded we will remove the dev fees and it will become fully open
Where exactly is this stated? I can't find it if I search your github
spot for the term "source":
More information about the liberationtech