Thursday, December 14, 2017

IOTA: off the blockchain and onto the "Tangle" - raising concerns from some security experts...

IOTA has received a lot of buzz lately, and a huge spike in value - making it worth taking a second look at their technology.

While IOTA is still a 'cryptocurrency' it functions like no others - and has received both praise and criticisms for it.

IOTA chart on Coinmarketcap.
IOTA runs on a 'Tangle' instead of a blockchain.  This means, no miners - instead, when someone makes a transaction, they also confirm 2 others.

An interesting new concept, first met with praise over it's efficiency and speed. Then later, criticized for security flaws. 

First, researchers at MIT and Boston University discovered the ability forge some of these signatures, in a post on GitHub stating:

We present attacks on the cryptography used in the IOTA blockchain including under certain conditions the ability to forge signatures. We have developed practical attacks on IOTA’s cryptographic hash function Curl, allowing us to quickly generate short colliding messages...

Then just a couple weeks later, Nick Johnson, one of Ethereum's core developers published a document titled "Why I find Iota deeply alarming" where he outlined his belief that IOTA valued copy-protection over security stating:

Iota is a bad actor in the open source community.... Sergey Ivancheglo, Iota’s cofounder, claims that the flaws in the Curl hash function were in fact deliberate; that they were inserted as ‘copy protection’, to prevent copycat projects, and to allow the Iota team to compromise those projects if they sprang up.

It honestly astounds me that anyone would think this justification redeems them; it’s an admission of hostile intent towards the open-source community, akin to publishing a recipe but leaving out a critical step, rendering the resulting dish poisonous to anyone who eats it. 

If Iota wish to discourage copycats, they can license their code in a manner that prohibits the kinds of reuse they are unhappy with, or keep it closed source, as they have done with their centralised coordinator. That, of course, would lose them the approval of the open source community — but so should their actions here, in booby trapping the code they release.

Since discovery IOTA has patched these exploits, and their co-founder openly admits it's in a “very early-stage beta.”.

IOTA has hired a 3rd party to help improve on their existing tech, and at a time when investors are throwing money into anything having an upswing, it's important people know the current 'experimental' status of the project.

Author: Ross Davis
San Francisco News Desk