Ecosystem in general

AigarsStaks

Being certified in risk management (CRISK), in information system audits (CISA) and security systems (ISO27002), I see many potential threats not covered in Stellar network.

I believe everyone that invest his/her own money here in this network (like myself) must care about it. Those who who invest their customer money (again me) must care even more ?.

If we see any tiniest risk that parts might fall apart - those must be addressed and compensated via tools, protocols or controls. But so few of those are implemented or enforced so far. I've rissen some of my concerns in Dev thread - https://galactictalk.org/d/550-consensus-talk.

So what could be right place to talk about it?

bkolobara

Hi AigarsStaks

I can't think of any serious threat. Can you elaborate more on the ones you think are out there?

AigarsStaks

Some compensatory controls like would be good idea to consider. This would help to ensure Network converge back to full connectivity despite interests and actions of individual set of nodes.

Compensatory controls to be implemented in Public Stellar Network:
1. Legal - "Network rules". Code of conduct defining "desired" behaviour of Network participants.
2 Legal - "Node hand-shake agreement". Any new node in the nework conneccts to existing node by signing some agreement. Agreement is recursive so it spreads to whole network via node-to-node relations.
3. Technical - "Peer Node validator" -something like health check of neighbour.
4. Technical - "Network health Check" - sort or external portal to see internconnectivity of network and identify green, yelow and red areas.
List might get extended at time.

Aim is to gain high confidence level that network is connected no matter of
1. Every node immediately see risk of dis-connectivity from the "whole".
2. Every node is motivated to fall back to green state.
3. Whole network always converge back to the green state no matter what individual nodes may decide.ck to connectivity despite activities and interests of individual nodes.

umbrel

I like the topic you started, but at the moment I don't know what to contribute to that. I'm currently working on solution for another widespread problem - many Stellar websites / wallets ask you for secret key. It's a heaven for phishing.

andre

umbrel
I am very interested in what you are doing, we have identified this as one of the biggest risks as we are preparing to move stellar into mainstream customers that have little to no exposure to anything blockchain. Please keep us updated on your progress

umbrel

[unknown] well, that current one I can't call a phishing attempt, it's too obvious. But making a new service and collecting user keys is not that hard to do, just because people are getting used to entering it everywhere

andre

umbrel
Yes, agree this latest one was very obvious, BUT to most of the consumers we are now bringing into this brave new world of blockchain would have taken that hook line and sinker! So, yes, its a problem and any solution in that direction will be great. Looking forward to hear more....

andre

[unknown]
I don't believe the solution is or will ever be technical, its got to be non-technical, as @AigarsStaks mentioned in his original post.

With Clic.World we have taken a non technical approach from the beginning wrt the whole issue of identity and KYC and also security. I will post a write-up over the weekend to give an example on how we are incorporating two Stellar wallets into our social banking app where we allow members to use XLM as security against a loan, as well as adding extra security on their wallet using Personal Cluster Authentication (PCA). We will add that into the eSACCO Plus app next week so that you can see how it works - hope this will help to contribute to this discussion.....

andre

[unknown]
Sure, will connect over the weekend....

zcc

General security and specifically the problem @umbrel mentions where websites ask for a secret key was the motivation behind my browser extension project (https://galactictalk.org/d/505-comments-requested-secure-browser-extension) and adding support for the Trezor.

Users should never have to enter their private key into a random website to use the Stellar network, but having all of these tools available as websites is really powerful and makes it easy to get started with Stellar. I'm hoping that the browser extension would be a good compromise for non-technical users.

andre

Introducing the concept of Personal Cluster Authentication (PCA)

Here’s our approach at Clic.World to add a non-technical security layer.

To understand this, first a bit of background and context around the basic principle behind the Clic.World eco-system.

(To get a better understanding I would also recommend reading the eSACCO ICO Prospectus here - https://esacco.co.ug/index/details/launch/)

In short, Clic.World are busy building an eco-system of social financial clusters based on the traditional savings and credit cooperative model that is found all over Africa and in many other developing economies.

The basis of these clusters is the joint management of their finances by a group of people, based on mutual trust, with the financial rewards shared by the group.

(Side note - the reality of the so called “unbanked” and “financial excluded” sectors of the emerging economic world is that the sector does in fact have very organized social financial structures that have survived many obstacles in the past due to being social in nature. It may not be “traditionally” banked as in developed countries - and while primitive and unsophisticated and open to abuse - it does exist and having survived wars, genocides and natural disasters, are handling more money in most countries than the “traditional” banks by a large margin!)

In these trust based clusters we found for instance that loan default rates are very low, less than 2% is common and this include asset funding and trade financing for merchants.

Clic.World provides a modern fully integrated micro banking platform to enable theses clusters to provide a seamless and transparent financial service to their members and across the wider ecosystem at a low to no cost, while building revenue streams that will turn financial services from a cost to an income.

Its against this background that we are introducing the concept of Personal Cluster Authentication (PCA). We are planning to use it across a number of areas in the eco-system in conjuction with the Stellar based OneClic ID function and will provide a more detailed write-up in the weeks ahead. Using it with the eSACCO Plus Stellar investment wallet is the first use case and we are learning a lot.

Here’s a summary of what PCA is:- (See multi sig matrix at the bottom)

Personal Cluster Authentication (PCA) is an enhancement over traditional 2FA (2 Factor Authentication) - which have either serious flaws (sms) or are expensive to implement - by using a person’s existing “real life” relationships as authentication for any changes to their digital identity or for specific transaction authorizations.
To enable PCA a user designate up to 4 of their OneClic ID relationships as authenticators, which will act as Primary Authenticators.
Where the user has been designated as an authenticator by another user, other than his Primary authenticators, that user will act as Secondary authenticator. The Primary and Secondary authenticators form the Relationship Authentication Cluster (RAC) for the user.
Authentication actions in the RAC can be set with different levels and authentication thresholds using a combination of Primary and/or Secondary authenticators.
Authenticators will receive an authentication message; users typically will then call the originator to confirm and then approve by entering their passphrase which will sign the message with their private key, or they can arrange for any other form of verification between themselves to ensure the request is authentic.
The user will pay a small fee (in CLIC’s) for each authentication to reward authenticators.

We are busy incorporating a second Stellar Investment account into the eSACCO Plus application, in addition to the one used as an operating account as part of the digital wallet. The idea is that you only keep a small amount of Stellar assets in the operating account and the rest of your wealth in the investment account where PCA authentication (Default) is mandatory. For the operating account PCA authentication is optional but it will not have the Clic.World escrow signing facility. We believe that 3rd party escrow service (like we see in OpenBazaar for example) will be more practical for escrow related to trading in the operating account in the future.

The Clic escrow signing facility in the investment account serves two purposes - 1) as an additional security layer and 2) as a facilitator to allow the Stellar assets to be used as security against a loan. (Before Clic.World sign it checks is there’s any outstanding loans against the Stellar assets)

I trust this gives you an idea of where we are going and look forward to more constructive discussions around this topic as we are all pushing to take Stellar from the current largely technical communities to mainstream users.

PCA Security Levels Default Pro Vault
Signing Weights
Master Key 10 9 8
Clic.World Escrow Signer 5 5 5
PCA 1 Signer 1 1 1
PCA 2 Signer 0 1 1
PCA 3 Signer 0 0 1
PCA 4 Signer - - -
Low Threshold 10 9 8
Medium Threshold 16 16 16
High Threshold 15 14 13
Escrow time delay option 0 6 24 (hours)

Looking forward to your comments.....

andre

andre
Ok, tried my best but could not get the matrix to format!!!

andre

Got a man on the moon in the '60 but dont have basic editing functions in Galactic Talk :-(!

AigarsStaks

While realizing how it is important and what impact it can have, I do not think wallet protection or phishing should be more significant problem in Stellar that anywhere else.

The concern I have approach to consensus with Stellar and in Bitcoin, as Stellar approach allows for institutional fraud.

Let me explain.
If several Validation nodes belongs to private companies, but those private companies get acquired by some person X, this person controls sub-network of Stellar. For example it is easy for him/her to configure consensus slices so that those point to each other, and only one of slices remains with "trusted backbone" whatever it is.

Once done, person now can isolate some his subnet by cuting connections to rest of the network. If his stake is large enough, and if there is enough transactions, this person can place an offer while network is united, and then split the network getting money twice - from each isolated network.
This leads to the assumption that I can trust Stellar network only if my application is connected to the Node that validates with SDF VALIDATORS 1-3.

Problems:
1- I hardly know to which nodes my application connects to (if I am an end user), so I may be connected to some potential "isolation tree"
2- If all connects only to SDF validators, it ruins an idea of fully distributed network.

istrau2

@AigarsStaks Did you see this:
https://github.com/stellar/stellar-core/blob/master/docs/software/admin.md#quorum-intersection

It seems like your concerns relate to a badly configured network. Of course, the same thing could happen in bitcoin due a DNS partition.

At the end of the day, there are always attack vectors. If some malicious actor wanted to spend a bunch of money buying up validator nodes (or bitcoin mining operations), perhaps he/she would be successful. But at what cost and to what end? It wouldn't take long for the network participants to realize that there had been a network partition and then what? What would the malicious party do? There would basically be a malicious private network and the public network. The value of the network would split (probably with the majority going to the remaining public network). Anchors on the public network would not honor withdrawals on the malicious private network (because it is an entirely different network). The malicious party could probably make away with some money in the initial confusion but would it really recoup the expenses paid to instigate the partition?

AigarsStaks

You have good reasoning. Most of the times it will be accurate. But it is in no way enough for financial network.

In its current implementation Stellar network does not (and cannot) have balanced growth strategy for nodes. To grow, network nodes apply voluntarily and connect to each other based on temporal trust between any 2 of them. SDF provides just initial seed to allow for growth.

As time will pass, same as in Internet, Stellar network will grow. There will be nodes that naturally trust each other so will become more interconnected. Same there will be nodes that do not trust some other nodes specially if those will reside on different continents or different political or religious arrangements.
This will create natural clusters that may become interconnected just via just 1-2 nodes due anything - nodes gets down, gets withdrawn, law enforced restrictions - just name it.

Gaining control on those specific 1-2 nodes will give them ability to split network into two identical sub-nets. This will create initially 2 identical communities where each member will have accounts in both ledgers. All of us will become twice more wealthy for a moment ?

Though who will take care of Non-stellar-foundation subnet? If it will be destined to die - who will take responsibility of investments done until it is clear that there are 2 networks? If it will continue to live - how many such networks we want to have? Of course those are a bit apocalyptic assumptions, but if theoretical model allows for it it just matter of time when real life will show implementation.

AigarsStaks

@istrau2 - thanks for a link. I guess it just implements what was in initial model published by @mazieres I guess.

I kinda think that technical controls, like QUORUM_SET, must be supplemented with organizational controls, like "networking rules" to be signed by any node that will be accepted in Stellar network. There can be also set of Network health application to be run by Stellar Foundation - to monitor the network against predefined criteria issuing warnings to nodes that does not comply to rules. In fact to create supplementary model.

umbrel

I agree with istrau2 and I don't think it's possible to have 1-2 nodes connecting 2 or more subnetworks, when people choose their quorum set they will automatically include nodes from another subnet, but I do agree that monitoring the situation is important.
Having multiple networks doesn't look like a problem to me, it's called sharding, we could have separate network for each country eventually, as long as there are enough anchors between them I don't see it as a problem.

AigarsStaks

Sharding is horizontal partitioning of the DB in order to scale single database. In case of sub-network split it is not sharing. Splitting would create two identical copies of the data base (ledger) that will diverge almost instantly.

Good thing : All of us who currently have XLM instantly will become twice as rich compared to those who will buy lumens afterwords ?

Bad thing: There is lots of opportunities for fraud. i.e. new exchanges may pop connecting to weakly-connected nodes; some clusters or nodes may be created with specific agendas to trap specific set of users etc. Any such event would discredit the whole network.

AigarsStaks

@umbrel - I do not think people will do it by intention. It can happen if network will grow to 100-1000 or more nodes. Each of the nodes will be connected so some 5-10 other nodes but if there are no rules and there is no single governing body, it my just happen. It is theoretically possible if there is enough time for it to happen.