Centralized Attack Vectors Everywhere

in #hive-167922last year

steel_bank_vault.jpg

Decentralization and Security go hand in hand.

Or do they? If you go to a bank do you expect them to have a separate vault for each person, or do you expect them to have one really good vault that stores everyone's value? I'm fairly certain that pretty much everyone is going to expect they have the one really nice vault that contains all the goods. Maybe inside the vault there are individual lockboxes for each person, but this is beside the point. If you can break into a vault then the lockboxes don't stand a chance.

On a very real level our brains are simply not wired for decentralization.

We should be honest with ourselves: decentralization? It kinda sucks. It's not efficient. It's not profitable. It's a pain in the ass. A centralized streamlined solution is always going to be better, as long as we can trust the entity in charge.

Technology has come full circle in this regard.

Tech is creating so much abundance that we can now afford to be extremely inefficient and wasteful in the name of decentralization. Humanity has reached the apex of centralized efficiency, and now we need to wind it down and create a new robust foundation that will scale to even greater heights than the last system. The problem? Scaling is hard and all roads lead to centralization.

Thus we are left with a situation where we meticulously need to pick and choose exactly how much decentralization is required so that the system does not become corrupted, but still operates at peak efficiency. This song and dance is one of the hardest needles to thread, perhaps ever. Expect that we continue to fail to scale gracefully over time. There will always be a bigger and badder boss to defeat after the current one is vanquished.


attack-vector-virus.png

Shit rolls down hill.

Take a look at Ethereum.

  • The stake is centralized.
  • The governance is centralized (and not even off-chain in many cases).
  • Everything built on it is even more centralized.
  • Every access point is centralized.

And yet it still kinda works.

Will Ethereum eventually experience complete systemic failure and/or be captured by the bankers? I mean, maybe? Honestly I doubt it though. The doomsayers and blackpillers make good points, but they always fail to understand what will actually happen within the simulation of a worst-case scenario. According to a blackpiller the Hive community doesn't even exist because we got successfully money attacked. That is simply not how reality operates. The confidence of the naysayers is boundless, and they never admit their failures even when proven wrong beyond any doubt.

ethereum-metamask-chrome.png

Metamask

Did you know that Metamask is a completely centralized product controlled by a single agent? It's owned and operated by a company called ConsenSus... sorry... ConsenSys Software Incorporated. They are pretty Sus though.

https://consensys.io

Consensys - A complete suite of trusted products to build ...

Consensys is the leading blockchain and web3 software company. Since 2014, Consensys has been at the forefront of innovation, pioneering technological ...

So imagine being a dev in crypto and needing to tell people you've created a "trusted suite of products". It wasn't that long ago Metamask caved in and agreed to start collecting/selling information on users that connect to their Ethereum nodes. Hm, yes, very trustworthy. Oh yeah and by the way the vast majority of users connect to their nodes by default. Not connecting to their nodes is basically for advanced users. Totally WEB3. Yep.

How many people use Metamask for literally anything and everything EVM related? I know I do: it's a solid product and I have no reason to seek elsewhere. Another really nice thing about Metamask is that I don't even need to use the hot-wallet: I just connect it to my hardware wallet and perform all actions through that, which is obviously a lot more secure and allows me to trust them more.

But what if Metamask went rogue?

What if they just decided to replace my intended smart contract with something that drained all my assets? I would have zero recourse. Reading smart contracts before you sign them is a hyper-advanced move. Almost nobody does it; they simply trust both the frontend and Metamask simultaneously. That's two centralized attack vectors on every single operation.

decentralized-centralized-distrubuted-spectrum.jpeg

All frontends are centralized.

Every server is centralized.
Every node is centralized.
They are all controlled by a single entity.

Perhaps in light of this information one might ask how decentralization is even possible. Decentralization happens through the process of consensus and nodes talking to each-other while coming to very strict agreements. If a hundred centralized nodes are all saying the same thing we have a reasonable expectation that they are all telling the truth. If they were all lying in unison that would be quite the thing.

This is why many Bitcoiners are so obsessed with security.

A lot of these old-schoolers out there will tell you that in order to confirm a Bitcoin transaction you need to be running your own node. After all if you delegate that responsibility to someone else then you're trusting someone else. This makes sense within the context of having your entire life savings in Bitcoin and one wrong move could result in catastrophic failure.

However, then the node you are running itself becomes the centralized attack vector. What happens if you asked 100 nodes for the truth and they all gave you the same answer? We assume true. But if your node is hacked the code can still feed you a lie regardless of all that. It becomes obvious quite quickly just how tricky it can be to secure a honeypot like crypto sitting on a centralized exchange.

A lot of these complexities get alleviated by cold storage.

It's not that hard to generate a private key offline and then send money to the public key one time. I've even read that this strategy makes the funds quantum-resistant because the algorithm wouldn't even have a signature to hack and reverse engineer back into a password. Although that is all quite beyond my depth.

Spectrum-wave-radio-signal-frequency-range.jpg

Decentralization as a spectrum.

There is no such thing as "centralized" or "decentralized" in binary terms. The central bank system is 'obviously' decentralized because central banks serve retail banks and retail banks serve the public. There are many central banks so the system is clearly decentralized. They are only called "central" because they connect to retail 'nodes' and do not interface directly with the public. It's really not that different from a full node on Hive servicing the API for dozens of other apps and websites.

Of course we already know that banks are not to be trusted.

We already know that while an argument could be made that the system is decentralized and there are some checks & balances in play that it simply isn't decentralized enough to be trusted henceforth. However, we should be cognizant of begging the question: starting with the answer and working backwards to the problem can be dangerous and lacks a certain nuance and finesse that might be required for further understanding.

Speaking of Hive...

This problem is not native to other platforms. The same rules apply to everyone equally. Hive Keychain is a centralized browser extension. I'm writing this post on peakd.com, another centralized attack vector. If any of these actors building on Hive decided to go blackhat they could do serious damage before everyone fully realized they needed to stop using the product. To many people are blindly trusting these entities without understanding the risks. This is par for the course: many will have to learn the hard way. I just hope it's not our community.

Of course there is a reasonable expectation that stuff like this will never happen, or if it does it will be extremely rare and the consequences will be mitigated by the various failsafes we have in play. Money can't be stolen if it's timelocked. Accounts can't be stolen with a solid recovery account. In many ways Hive is a lot more secure than Bitcoin. Everyone knows damn well if your keys get stolen on Bitcoin there is just about a 0% chance of recovering the funds lost.

Threat-vectors-attack.png

Conclusion

Decentralization is not "good" and it never will be. It's inherently inefficient and difficult to scale. It will only ever be "good enough". Anyone with a logical mindset of: "More decentralization is good no matter what," does not understand the tradeoffs in play.

Luckily the exponential abundance of technology allows us to be wasteful while still maintaining viable business and economic models. The one thing that's been lagging behind for the last hundred years is the ability to trust other people, especially when it comes to the creation of money itself and the ability to secure it. Thus we will continue to sacrifice abundance in order to create these inefficient systems in which people are no longer in charge, and instead are replaced by the ideals and consensus of society.

However, knowing the risks is important. Most things are centralized, even within decentralized ecosystems. One person will always be one person. One business will always be one business. Only when these entities come to agreement can we be reasonably sure that there isn't any funny-business going on. However what are the chances that a website is in consensus with another website? All frontends are centralized. All wallets are centralized. Even code is centralized (how often does code check itself for consensus before executing?) Only the backends employ actual decentralization at the moment. Sometimes it's good to remind oneself how the sausage is made, even if it is a bit gross.

Sort:  

A BOOM.
In fact , its worth 2.

So I'll boom one of your repplies.

It's true that almost everything is centralised at its core. Hopefully we won't be seeing any Hive frontend going rougue anytime soon and in the future.
Just thinking about that gives me the chills.

I think Decentralization is the angel we don't know yet and Centralization -the devil we've always know.

Even crypto that we've been preaching to be decentralized is just an agreement/connection between two individual financially.

The main worry I have is centralization of the internet to the point where data packets can be hashed to a global ID for internet access. As it is now, that would require a lot of restructuring and the breaking of code, but not impossible. Just impractical, except for the fact that those at the top with nearly unlimited resources want it to extend their hold from the IoT to the internet of bodies. If the last 3 years have proved anything, it's that they don't mind breaking things in order to get what they want.

Loading...

My head hurts after reading this.
My greatest disappointment after learning about cryptocurrency is how centralized it is, but lacking the regulation and oversight of centralized traditional finance, so theft and abuse are common. We are in our infancy. It’s the wild Wild West with shoot outs on main street daily and plenty of collateral damage.

Congratulations @edicted! You have completed the following achievement on the Hive blockchain And have been rewarded with New badge(s)

You received more than 130000 HP as payout for your posts, comments and curation.
Your next payout target is 132000 HP.
The unit is Hive Power equivalent because post and comment rewards can be split into HP and HBD

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Check out our last posts:

HiveBuzz World Cup Contest - The results, the winners and the prizes
HiveBuzz World Cup Contest - Recap of the Final
Women's World Cup Contest - Recap of the play-off for third place

You are right, if an insider becomes the bad guy. The terror it will bring on will be unimaginable.

Thank you for the eye opener