SAFE Network concerns from an old employee

Found this tweet about a former engineer (Lee) who expresses concerns about the network.

8 Likes

All news is good news. Jameson Lopp has a great following. Seems Mr. Lee has not been successful in finding work since his tenure at Maidsafe. Although its odd he does list his current occupation as Software Developer for Maidsafe. Maybe attention to detail is not one of his stronger suits, which would not be a good thing for a developer.

Jobs and Developer Story - Stack Overflow

3 Likes

Letā€™s not try to discredit his person, and see what other devs have to say to aleviate the mentioned concerns.

23 Likes

I hope your not talking to me because if you are rethinkit.

Think twice before posting a response that implies that information is forthcoming and especially information that ā€œaleviatesā€ concern. Because you dont know if that is coming and you dont know if it will -if it comes - aleviate concern.

The hacker news above is saying something about a technology. The only way your saying something about a technology is by hacking it. I want to see SAFE Network sites go down and the network to crash and burn, after that the Maidsafe team will make a few tweaks and weā€™ll try again. Before any of that happens, all these talks are just cheap ads. :stuck_out_tongue:

Ofcourse I donā€™t want the SAFE Network to crash and burn, but I do want hackers to hack it, so that we can fix stuff and improve the network

4 Likes

Interesting Lee did work for us and is also a member of this forum, I must check his posts at some time to find these issues he mentions warning us about or at least get a sniff of such in between the lines of posts or something.

Basically much of this is FUD and surprising really as a contract Engineer that was not working in or seemed to have knowledge of the areas he seems now to ā€œunderstandā€. Lots of time spent here though which would be nice if it were focused on issues that would help. The assertion that the network relies on the difficulty of creating a key though is not correct and therefore is further surprising. We have certainly not seen any pull requests for any of this, so I suspect helping and assistance is not the purpose here.

I wonā€™t go into some previous employee issues and why they are previous and not current, that is a different matter. A lack of understanding would not help though. Hopefully we can have many reviews etc. but in the open and copied to us so we can make use of them will help us all.

As part of innovation and creation of new devices like SAFE though we must take info from anywhere, but also realise there will be masses of inaccurate information where folk do seem to have inordinate time to criticise and there will be many reasons for such criticism, many of which we will never know, although we may guess. If they end up being a mechanism to distract though then it becomes dangerous. Chris Foster posted a really excellent article about being careful with certain ā€œpostsā€ itā€™s always worth noting that.

If there was an Engineer working in the code who had concerns they would be documented and we could react to them as we go along. That would be normal for sure. We do not simply though rely on key creation difficulty or group signing keys (which do not exist but were mentioned by me as an interesting thing to look at) etc. so we need to filer this info in the email and see if there is anything we can use and if there is then we would for sure :wink:

As we pass through Alpha we are providing the functionality, as this is rolled out we are spending a ton of time on security, which is implemented bit by bit, for instance currently routing meetings are very focused on security, but in phases. So data republish, group security and hop security are all part of that. Network joining is also another part of this, so you create keys and get relocated based on that, but even this relocation does allow a targeting right now, but not by creating a key to do so, but in terms of continually joining and seeing where you got located to, then do this many of times with different nodes to get close. This is prevented though using many methods, such as forced relocation with breadcrumbs, relocation with safecoin and many others. We have not selected the relocation mechanism yet as itā€™s not time. right now differing sized capabilities are the issue to fix and we are on that. That is a much more difficult issue and probably should have been something way up in a critique of somebody wished to be damaging, as we can prove that. There is also secure_serialisation crate we created which is not fully used either, this introduces encrypted comms in crust but still requires incrementing counter for replay prevention. We have a few parts like this otherwise we would be launched already :smiley:

So if there is any useful info we will use it, as you would expect. :thumbsup:

54 Likes

Thanks @dirvine for the prompt and reassuring response ,
itā€™s always good to dissipate FUD as soon as possible ā€¦

5 Likes

Some psycho-analysis on my part ā€¦

Why post this if you donā€™t care about the project ā€¦ and yet, how can you care about the project and not help to post about the problems you perceive in an open forum?

In any case, security is relative - there is nothing absolute/perfect, yet he makes no comparisons to other projects with regard to relative security. So, IMO, he is ā€˜caringā€™ about something else and hence has an ulterior motive.

Furthermore, Lee writes:

ā€œThey have repeated those mistakes in a few instances in the Rust version, but all of these mistakes are more easily solved than the critical issues above. I am highlighting these because their continued existence makes me question whether they can solve the more critical issues.ā€ [emphasis is mine]

How does this comment make sense? The continued existence of MAIDSAFE implies that they WILL solve the more critical issues ā€¦ does it not? He spent a lot of effort writing out his thoughts here, so I wouldnā€™t think it an off-the-cuff remark. IMO, heā€™s not processing things logically.

Perhaps he is resentful or otherwise has some other ill-feeling toward members of the project and is hence not thinking rationally. Itā€™s a bit sad really.

Anyway, on to other things.

3 Likes

I read it as the problems still exist not Maidsafe still exist. Unless I am not understanding you :slight_smile:

Anyway if he had real concerns he could raise them here or directly with the team. Itā€™s some more of what we have seen in the past and will see some more in the future.
Oh look his name is known for a minute.
Nuff said about this malarkey.

5 Likes

You are right. Iā€™m the one not thinking too logically ā€¦ I guess this just pushed my buttons a little too much. Well, in my defense, it was an off-the cuff remark. And I stand by the first and last parts of my analysis.

2 Likes

I believe that if any one of us had been an employee of the project, had concern about the projectā€™s development and had identified any problems, we would have PMā€™d the devs directly. Common loyalty to pass it by former colleagues first. Unless,of course, we are tactless, unprofessional thicks or are motivated by something other than the wellbeing of the project.

4 Likes

Letā€™s not crucify anyone here guys :slight_smile:

What kind of community do we want to be?

11 Likes

Hello @toholdaquill and thank you for your question,

We would be happy to provide immediate background information for a Safe Network security story that can present the case leading up to our equity sale.

J.M. Porup is a freelance national security and cybersecurity reporter based in Toronto. He has previously covered wrongdoing at the NSA, GCHQ, and elsewhere. His work has appeared in Ars Technica, The Christian Science Monitor, Slate, Motherboard, The Daily Dot, The Kernel, and The Economist.

Some recent work:

  1. The NSAā€™s SKYNET program may be killing thousands of innocent people Ars Technica UK, February 16, 2016
  1. UK secret police are indiscriminately spying on millions of innocent people Ars Technica UK, April 20, 2016
  1. Hacking Team hacker steals ā‚¬10K in Bitcoin, sends it to Kurdish anticapitalists in Rojava Ars Technica UK, May 18, 2016
  1. Copperhead OS: The startup that wants to solve Androidā€™s woeful security Ars Technica UK, August 9, 2016
  1. CISSP certification: Are multiple choice tests the best way to hire infosec pros? Ars Technica UK, July 4, 2016
  1. The Internet of Things is a surveillance nightmare The Kernel, March 20, 2016
  1. ā€œInternet of Thingsā€ security is hilariously broken and getting worse Ars Technica, January 23, 2016
  1. Cothority to Apple: Letā€™s make secret backdoors impossible Ars Technica, March 10, 2016
  1. Underwriters Labs refuses to share new IoT cybersecurity standard Ars Technica, April 13, 2016
  1. British Police, in witch hunt, demand suspect turn over encryption keysā€”for the second time Ars Technica, March 31, 2016
  1. European spy tech sold to ultra-secret branch of Egyptian govā€™t, claims new report Ars Technica UK, February 25, 2016
  1. Malware in the hospital Slate, January 25, 2016
  1. FDA presses medical device makers to OK good faith hacking CSM Passcode, February 10, 2016
  1. Ransomware is coming to medical devices Motherboard, November, 2015
  1. Why arenā€™t there better cybersecurity regulations for medical devices? Motherboard, October, 2015
  1. ā€˜Dissent,ā€™ a new type of security tool, could markedly improve online anonymity Motherboard, September, 2015
  1. Qubes OS will ship pre-installed on purismā€™s security-focused Librem 13 laptop Ars Technica, December, 2015
  1. Finally, a ā€˜reasonably-secureā€™ operating system: Qubes R3 Motherboard, October, 2015
  1. Qubes: A Digital Fortress? The Economist, March, 2014
  1. This new ā€˜secureā€™ app for journalists may not be secure at all Motherboard, October, 2015
  1. Reverse engineering proves journalist security app is anything but secure Motherboard, October, 2015
  1. How mexican twitter bots shut down dissent Motherboard, September, 2015
  1. Plunder. Itā€™s a thing. And if you work in Silicon Valley, youā€™re probably doing it. Medium, May, 2015
  1. The printing press created journalism. The internet will destroy it. Medium, March, 2014
  1. How the military uses twitter sock puppets to control debate and suppress dissent Medium, March, 2014
  1. Debian Reproducible Builds Motherboard, September, 2015
  1. How a frozen neutrino observatory grapples with staggering amounts of data Motherboard, October, 2015
4 Likes

relax amigo. Itā€™s only mondayā€¦ depending on your time zone. ,)

Iā€™m not sure anybody crucified or came close to that. The man is an ex contract employee and apparently a member of the forum so part of the community so to speak. I only see questions about the way in which he has done his dance no crucifixion exactly.

4 Likes

Starting to wonder if a pattern is emerging. I try to not be biased but I think Safe is a huge threat to other projects and when ex engineers move on to other projects they may feel threatened? Safe IS ambitious and perhaps that in comparison to other projects increases their skepticism but the proof that Safe is infeasible so far seems to be unfounded.

6 Likes

If I might.

I have the utmost respect for David and the rest of the team, both because of the immensity of the scale of the project they are working on and because of the ethical implications on having a truly decentralized and private Internet.

I have invested (for me) a good chunk of money in the project and have been putting more of my savings into it.

With that said, Iā€™m worried about the lack of a direct reply to a few of the points made in that post.

In particular this one:

An additional problematic area is when nodes connect or disconnect. A group can lose
quorum if enough nodes drop out simultaneously, which would mean that
no more updates can be made to the resource. OR new nodes could
replicate the data from the remaining members of the group which are
below quorum. But if the network were partitioned instead, both sides
of the partition would replicate/repair the quorum and continue to
accept writes. The network would then need an algorithm for merging two
data forks.

Again, Iā€™m not saying the team should, right now, have all the answers.
But some transparency in what, for me at least, appear as fundamental concerns would be great.
An explanation about a solution currently in place, to point out that this is not a problem.
Or ā€œthis is challenge that we recognize and we are working onā€.

Because each time a fundamental criticism is made I only hear silence.

Again, I have money on the project and I want it to succeed because itā€™s aligned with values I hold. So if Iā€™m raising these concerns is because I want to see the project succeed, Iā€™m not trying to be an anti-crypto shill.

16 Likes

If you have money in it thatā€™s a risk you have decided to take. No one has taken your investment and certainly not guaranteed you anything. This is an open source project. You simply cannot have the expectations that you have.

At the end of the day, this guy is not a reliable source from what I can tell. It reads like lazy disinformation to me. he comes right out and says distributed systems were new to him, he relies on intuition and yet he knows the problems they have but doesnā€™t know how to fix them.

What he doesnā€™t understand is he was working in a compartmentalized environment.

1 Like

Iā€™m sorry, but that doesnā€™t address @yvon.fortier his concern, does it? Although you might be right with your analysis, his question that needs a more indepth answer, is:

5 Likes