I am new to SAFE and I’ve been reading about it for a little while now, but I haven’t been able to figure out how the SAFE network would defend against hacked software that someone might develop. Specifically, software that creates a node that doesn’t scrub IPs, keeps track of data packets sent, encrypts things with a backdoor (somehow), or other various actions. It doesn’t matter what it does; it matters whether nodes can appear to be normal but do nefarious things. How would the network tell the difference?
Along the same lines, how is the SAFE network updated once it is released? What if someday MAIDsafe is taken over by people who post “open source” code but then release it with compiled code that includes backdoors?
It is likely that I misunderstand something about how SAFE works, so feel free to correct my misunderstanding!
Welcome BloggerOfThings I think these will answer a lot of your questions.
A bad node (doesn’t get SAFEcoins, time out or completely shut off). A node only has encrypted chunks, so it can’t do nothing with that and data will heal it self (4 copies).
[quote=“BloggerOfThings, post:1, topic:4551”]
Along the same lines, how is the SAFE network updated once it is released?
[/quote]David said in a video that the SAFE Network would only accept code, if it improved. So the code can only get better or will not be accepted by the SAFE Network
doesn’t scrub IPs - the next node will scrub them anyhow.
keeps track of data packets sent - really of little value unless you could get a major number of nodes doing this and collate the data. All the node would see is that a packet came from a node and passed through the “evil” node and sent to another node. The “evil” node knows nothing of the chunk passed through it, doesn’t know who its being sent to or what it contains.
encrypts things with a backdoor (somehow) - this would only affect the data that the node put onto the SAFE network itself. Data is encrypted before it is sent over the network for storage (or other purpose) and the (other) nodes do not do the encrypting. Also any modifications to the chunk made by the “evil” node will only cause that chunk to be rejected since the hash testing would identify the chunk as bad, and the network will source the chunk from one of the other vaults.
Okay but what if it does both? What if the code does include an improvement but also a vunerability or other malicious code? Somewhat like how some genetic diseases also have the flip side of improving one’s immune system against other diseases. Or if you have a low or high metabolism you might be more or less vunerable to starvation but also be equally less or more prone to weight gain and able to escape something big and nasty running after you, respectively of course. So what if someone entered a similar kind of trade off piece of code into an update. It did provide improvements and provide increased security or performance in one area but decreased security and performance in another area, an area that an actor could then exploit.
It was just something I thought of while reading your post. And welcome BloggerOfThings
I think that much of the reason SAFE has taken so long to put out is because you can’t just willy nilly change it once it is out. Most of the functions will be set in stone once it is released – and the parts that can be changed aren’t really the security features. The protocols really cannot be altered once the network is up, as if you speak a different language the network won’t understand you… You can only speak the same language faster…
The main points of security is that everything is encrypted before it gets networked. An attacker may be able to determine that you are sending and receiving data, but they will have no idea what it is, and will have no means to know where or why you are sending it. Also they will have no means to alter it as any alterations would invalidate the hash by which the chunk is named.
Where it is possible to attack, the network has taken away your ability to pick your hill. For example a certain number of neighbors to an address need to approve a change of ownership. If machines you controlled where all of the neighbors, you could act badly but you don’t get to pick your address, so in order to win, you would have to own well over most of the network. 28 of 32 neighboring nodes (out of probably millions) by sheer luck… If you try to act badly against consensus, the network does disregard you and downgrade you.
How would it know this? My question is that the code could appear to be normal and even improve the speed of the network(?), but maybe it replaces all node software with software that works exactly the same but then logs all IP addresses (and this is propagated throughout the network), and stores the IP in a privately accessible vault. This would obliterate the anonymity aspect, even if the nodes don’t know the content. Suddenly someone knows who everyone is.
To be very clear, I’m not talking about the specific type of attack; I’m talking about how does the network stop others from hacking the core software and changing it? (And for that matter, how are updates distributed?) Let’s say a virus infects thousands of computers and only goes in to replace the SAFE software with their own special non-anonymous nodes. How would the SAFE network be able to know that the bad nodes are bad? The only difference is that they are recording the IP addresses they see and sending them to a central list (along with whatever else they have). Then the NSA can go through this list and de-anonymize everything. Details aside, it doesn’t matter what the nodes do; that’s less important than how the network would defend itself against any change like this.
The video is interesting, but unfortunately Mr. Hancock’s accent is extremely difficult to understand (plus the acoustics add another bit of difficulty).
Well, the specific examples aren’t the issue. I’m asking about how the network would be able to tell if the software is non-standard. Or something like that. See my post above.
To guard against this would require an OS level protection - virus detector. If this was to occur then it would hardly matter what the software is/does that is infected, the virus can add any code.
In a more general case where node software is compromised then the remaining nodes would shun that node if it affected the chunks.
Otherwise I am uncertain if the SAFE software does an integrity check on loading which is compared against checksums saved on the network. Remember though that the code is open source and any changes to the central code is viewable and would be detected. Updates would be coming from that code base and so the malware can be removed long before there is a network wide change over, and before the changes become useful for surveillance.
As with any software we have to trust the closed source company or trust knowledgeable people will detect malware added to open source code.
Well what’s possible for an evil programmer is to create code that in appearance looks benign but that has an evil purpose.
There were competitions before called “The Underhanded C contest” that would reward those who were able to write simple short codes that could code the actual evil payload as an honest mistake. http://www.underhanded-c.org/
These would be hard to detect even if there is an audit and even if it is open source.
Your argument is a fallacy. The perfect network does not exist and will not exist but you can put security measures that make extremely difficult any attack. And the SAFE network have them (point to point encryption, immutable data verified by hashing, public code,…).
How? Magic…? The communications betweens nodes are messages not code. An not infected node will not accept anything else.
The true problem is a secret subpoenas forcing maidsafe enter malicious code. In this case a warrant canary or a continuous analysis of the source code is our only life insurance.
It’s not clear how the SAFE network will know code will improve the network. I do not recall this as a feature of SAFE. There would have to be some automated protocol and would be a breakthrough in software development.
I think it’s important to know how changes to the SAFE network would be made once it goes live. There will be bugs and a few growing pains no matter how much testing is done. Hopefully, they will all be minor. It is unrealistic and naive to assume the SAFE code will be written in stone with the first release and have no updates.
Change management is a huge issue with decentralized, p2p software as it becomes more established. Will it remain centralized with the SAFE team? Will there be a voting mechanism? If so, who can vote and how? Who will verify the chanes? Etc, etc, etc.
Welcome to the community. Those are good questions, to which in time you’ll find the answers because they have been asked here before. Responses usually help, but it’s always a learning process too, so don’t expect to be satisfied right away. And it’s always hard to explain because it means explaining several different aspects of how the network works, most of which are new ways of thinking, and some counter intuitive.
Thank you (and everyone else) for the welcome! I think my confusion stems from what various people have said about the network vs. how it actually works. @TungSvard’s post sort of sums up the gist of my question regarding the software used by the nodes. Knowing that would address a great deal of my concern.
See my post above.