Project title: StellarGuard

Summary:

Security for your Stellar account

Why spend $100 or more on a hardware wallet just so you can feel safe with your XLM, when you can use the built-in multisignature capabilities of the Stellar network with StellarGuard for free? StellarGuard works with your existing Stellar wallet to keep your account safe by adding 2 factor auth to any wallet. Even if your secret key is compromised your coins will stay. Lobstr, StellarTerm, Stellarport, Interstellar.Exchange, Stargazer and even the Stellar Account viewer: StellarGuard protect them all.

Goals:

Here are StellarGuard's 2019 objectives:

  1. Rate limiting:
    • Basic rules engine to let the user decide how much XLM they can send per time period (working on this now)
    • Enable a mode for "automatic" co-signing for transactions that pass these rules. This would enable trade bots and/or anchors.
    • Enhanced rules engine rules: additional assets, destinations, lockup rules, etc...
  2. Additional security features:
    • U2F option for multi-factor authentication (physical keys)
    • Scam/address blacklist + scoring how "risky" a transaction is based on previous transactions, destinations, etc.
  3. Enhanced privacy features:
    • New co-signer per account you add instead of sharing the same one.
    • Transaction source tumbler/obfuscation (this will take some research): imagine you send a transaction to someone but you don't want them to know how many XLM you have -- the goal of this feature is to send it through enough hops/mix with other operations that the source account is not able to easily be recovered
  4. Site Redesign + UI Changes
    • New logo now that the Stellar rocketship is gone
    • Cleaning up the UX of many pain points, especially the process where you add multiple signers to your account
    • Color scheme/branding changes
    • Better emails -- right now everything is plain text and boring
    • Transaction details page revamp: this page is confusing and incomplete -- some transaction types are just JSON dumps

Links:
Website: https://stellarguard.me
Github (all StellarGuard code is open source and MIT licensed): https://github.com/stellarguard
Blog: https://medium.com/@stellarguard

Anything else:

As the winner of the last SBC, some of you may be asking "why do you need more money?", and that's definitely a fair question to ask!

Here's how I've used the winnings from the last SBC:

  1. Due to US tax laws, I ended up having to pay taxes on the USD value of what the lumens were worth when they were awarded. I unfortunately did not sell enough to cover my anticipated tax amount immediately when they were awarded. Because of the way the award was taxed (1099, with all the self-employment taxes that entails), it ended up being 35% of the present value. Because the value of the lumens had dropped so far from when it was awarded (worth around 50% of what it was), the taxes ended up consuming almost 80% of the entire award. I ended up paying that completely out of pocket because I just couldn't face it to sell at the low point to cover the taxes... hopefully it comes back. Lesson learned, I'll survive and move on.

  2. Warning: personal background time -- this should not influence your decision about whether to choose this project, it should win or lose on its own merits; this explanation is just to add color to my decision about how I spent some of the winnings. I have a full time job and am a father of 3 with a 1 year old child with special needs. All of the time I've spent on this project has been nights or weekends after I've put the kids to sleep. It was not uncommon for me to work on StellarGuard from 11pm-3am and then wake up at 6:30am to get the kids ready for school. All of this started to take a toll on me, and I realized I was getting less and less done as I got more and more exhausted.

Because of that, I decided to look for a freelancer to help me accelerate one of the objectives I had (namely the throttling/spend limits and bot support feature). I found someone from a Hacker News thread and exchanged emails and discussed the features and the terms: we agreed on $6000, 1/3 up-front, 1/3 on the first milestone (working demo), and 1/3 when the code was delivered. Everything seemed great and I sent out a tweet a few months ago saying that the feature was "coming soon" after the first demo. Unfortunately, after I sent the 2/3 of the payment, the developer COMPLETELY stopped communicating with me. I cannot get ahold of him by phone or email and because he's based in another country I don't think it's worth it to pursue it legally. So now I'm back to building that feature from scratch by myself. Again lesson learned (I'm learning a lot, hah).

  1. Although I have not done this yet, I'd like to hire a part-time support person to answer emails and support requests. This surprisingly (to me at least, maybe not to others) takes up at least 20% of the time that I'm working on StellarGuard. A lot of the emails are something like "can you help me add multisig to my account" or "I tried to configure my account manually and messed up the weights, is there anything you can do?". I'd like to hire someone to answer those so I can focus on feature development/coding.

Additionally, I'd like to continue working on my "Anatomy of a Scam" series about spotting Stellar scams and how to avoid them. Possibly this will morph into a global "watchlist" of bad actors, websites, and addresses.

Thanks for supporting StellarGuard, let's all work together to keep eachother safe out there!

    21 days later

    You can never have enough security when it comes to ones money.
    Your background story about building everything in the late hours of the night sounds very familiar to me. Seeing all the trouble you went through with the previous prize money and your freelancer disappearing I really hope you manage to get funding through the SCF this time again.
    Best of luck to you!

    14 days later

    I've launched a beta version of the logo + color scheme refresh to https://test.stellarguard.me. I'd really appreciate it any feedback about it!

    Additionally I updated https://github.com/stellarguard/multisig-utils and https://github.com/stellarguard/stellar-uri with versions of the JS SDK that support protocol 11 (as well as updating StellarGuard to supporting protocol 11).

    Regarding the throttling engine: I'm trying out the new Stellar Go SDK and seeing how the throttling engine would work as a Go microservice. So far so good!

    Thanks for your support so far everyone.

      StellarGuard

      The logo + text colour looks a bit off, in combination with the background. Too bright perhaps, I don't have the words.. Compare that to the peachy colour of the CTA button, which is much more in harmony with the background.

      Logo itself is absolutely brilliant!

        Agree with dzham, the logo color should be toned down a bit. About the logo, I would make a small change to where the shield connects to the new lines to keep it in line with the new stellar logo:

          Thanks for the feedback! I'll definitely be adjusting the colors based on yours and other's feedback -- probably to something slightly and closer to the old blue.

          10 days later

          1) If you received a lumen award in the past, you should have taken immediate steps to safeguard it from a downswing in the lumen price to ensure you could complete the project for which the funds were granted. Not doing so was kind of irresponsible. 2) If you already have received funds, perhaps you should give other projects a chance. 3) I don't have connections on this board as I'm a new member, so I doubt I'll be able to get votes, but my project has merit, I don't have a family, children, or a day job. I can work 100 hours a week on my project and I can deliver. I would have loved to of received funding from the SBC. That's a once in a lifetime opportunity. I wouldn't have squandered it and then asked for more money while giving all kinds of excuses. I would have delivered GREAT RESULTS and I would have worked incredibly hard.

          Additionally, I'd like to continue working on my "Anatomy of a Scam" series about spotting Stellar scams and how to avoid them.


          Unfortunately, after I sent the 2/3 of the payment, the developer COMPLETELY stopped communicating with me. I cannot get ahold of him by phone or email and because he's based in another country I don't think it's worth it to pursue it legally.

          I'm sorry to be critical, but you don't seem to be that great at spotting scams? If you are awarded more lumens, how do we know you can StellarGuard them?

          I do appreciate you being open and honest about what went wrong though. Everybody makes mistakes. But to be awarded another fund, it's important to ask tough questions. How do we know issues with family, children, and your day job won't get in the way? The more you use the funds to hire people instead of doing the work yourself, the greater the risk that something goes wrong again. Other developers and people you hire will only care about their paycheck and not whether the project succeeds.

            @deylandra

            I agree that those considerations don't really have their place in a project entry.

            However, this is not just StellarGuard: most project that participated in last SBC suffered from the low amount of allocated fund and the market crash that happened right after we received those funds. After that we had 10 month without any contest. It has been hard for independent devs, and most of them left the boat.

            I've not seen anything like the lifetime opportunity you mentioned. Working on the economy 3.0 is the more precarious & unrewarding activity I ever had. That's why I definitely understand Paul's complain.

            Now if you think you're that great, maybe you'll do better. It will take more than words, though.

              @deylandra

              MisterTicot Now if you think you're that great, maybe you'll do better. It will take more than words, though.

              The thing to remember about the SBC is that there were no stipulations about what the funds could be used for. They were awards for existing work.

              The fact that some people decided to stick around, and use that money for funding further advancement of their projects only speaks in their favour. There are certainly enough people who took the cash, and just disappeared.

                The thing to remember about the SBC is that there were no stipulations about what the funds could be used for. They were awards for existing work.

                I didn't realize that. I can certainly imagine the horror of many ICO projects last year when Ethereum crashed 90% and they no longer had the funds to complete the ICO work. That surely must have disrupted a great many projects.

                  deylandra

                  Uhm, I feel like you're misinterpreting things intentionally, twisting my words.

                  ICOs specifically asked for funding for future developments. SBC projects didn't. Huge difference.

                    deylandra Fair question. I thought I did my due diligence, drew up a contract, and hired someone who claimed loads of prior experience, but I should have looked more into his references. This is just one of those things where I have to take my lumps and learn from it, and as odd as it may seem I'm actually glad it didn't happen with a larger contract. I'll be much more skeptical in the future when hiring.

                    I guess there can be two schools of thought about what the SCF should be used for: do you award people as a thank you for doing good work and that's that, or do you award them so that they can hire people and accelerate development? It's probably a mixture of the two but as a voter I'd definitely lean more towards the latter.

                    As for my family and work, it definitely gets in the way! I'll readily admit that I wish I had more time to work on this. I do hope to get to a point - through SCF, other developer programs, or an eventual paid version of StellarGuard with pro features, where I can end up working full time on it AND hire others to do it.

                    For the Anatomy a Scam, check out the first one if you haven't already: https://medium.com/@stellarguard/anatomy-of-a-stellar-scam-the-hard-fork-4ac89808fd38, it's less about pointing out a single scam and more about giving you a framework for detecting them yourself. It's that sort of thing I'd like to continue with -- teach a man to fish... you know how the rest goes.

                    Good luck on your submission. I hope if it's a project that you're passionate about that you continue to work on it even if you don't win. StellarGuard did not win the first time I submitted it and I continued to work on it -- don't let it discourage you!

                      I actually can feel your pain and relate. A programmer I'm building language software with had an unexpected pregnancy and he did not have insurance for it (they thought he was infertile due to past medical issues.)

                      I was supposed to pay him $10,000 upon completion of the work, well, his wife goes into labor and he's like I really need the money now, I have to pay the hospital bills.

                      Well I've known him for over 10 years, always did great work, so I pay.

                      For six months I don't hear from him. Turns out he's having major financial problems supporting his wife and three kids, all of his time is spent getting jobs for immediate income to just barely get by, so he hasn't had time to complete the work for me cause it's not going to bring in immediate cash since he already got paid.

                      After six months, he completes the work, but it's a rush job and it doesn't function right, so I'm having to redo most of the work myself. He has complained a lot about getting stiffed from people he does jobs for over the years, I think it's very common on both ends.

                      In the future I will use escrow. That way the programmer/contractor doesn't have to worry about getting stiffed and vice versus.

                      Agree on smaller tasks or milestones, 50% upfront, 50% after completion of task/milestone. Works for me. I often pay weekly or bi-weekly. But I think this is not the place to discuss this, maybe a mod can move or remove our off-topic posts 🙂

                      Okay, okay, how about calling it WIFEGUARD and then doing an Anatomy of how to keep your wife from spending your money.

                      I would totally vote for that.

                      We definitely went off the rails with this conversation! Can we please just talk about Rampart... err... StellarGuard?

                      I've been thinking more about throttling implementation, and I believe it makes sense just to add the rules engine right from the beginning.

                      Some simple rules to start are exactly those throttling rules mentioned before, but it opens the door to much bigger things.

                      Examples:

                      Allow sending at most 100 XLM per day, or reject the transaction.
                      When sending XLM to <G....> do not require approval.
                      For any payments over 1000XLM, require 2 factor auth token.

                      The devil is in the details and I want to take some time to get this right, but I wanted to start getting some feedback about what sort of rules you might actually use, given this capability. Especially interested in how Stellar bot users might use this.