CFB’s comments on https://www.media.mit.edu/posts/iota-response/
This is my personal comments on https://www.media.mit.edu/posts/iota-response/
IOTA’s relationships with top-tier companies continue to be nebulous.
In the Technology Review article, Orcutt linked to a November 28, 2017 blog post from IOTA that gave the perception that Microsoft was a partner in the marketplace. However, after a flurry of media reports making this claim, IOTA corrected their relationship status with top-tier companies like Microsoft, Cisco, and Huawei in a blog post dated December 16. That the MIT Tech Review story links to IOTA’s initial blog post instead of the later version is misleading.
Partnership issue was related to a subjective interpretation of English word “partner” and IOTA’s team can’t be blamed for that. For an example of a similar case let’s look at https://medium.com/@neha/cryptographic-vulnerabilities-in-iota-9a6a9ddc4367 signed by an employee of Digital Currency Initiative at the MIT Media Lab. The entity name makes us think the blogpost was published under MIT umbrella. Actually, MIT has nothing to do with that as was found out by lawyers working on a case related to academic fraud conducted by two DCI employees who authored the linked blogpost. If I worked in DCI I would be consistent and either believed that IOTA’s team had no bad intentions or clarified in Neha Narula’s post that their text wasn’t endorsed by MIT. DCI exercising double standards taints MIT, I find behavior of DCI employees deeply alarming and surprised that noone has contacted the MIT administration on the matter yet.
Whether or not IOTA’s ledger is “tamper-proof,” the entire IOTA network went down in November, and was completely inoperable for about three days. That this has never happened in Bitcoin or Ethereum suggests the extent to which the IOTA network relies on the “coordinator” — a single point of failure — and is not truly decentralized.
Also troubling, IOTA developers were able to transfer funds out of users’ IOTA accounts. The user was then required to participate in a “reclaim” process to request their funds. We believe IOTA’s developers should not have access to such funds; it’s rife with risk.
I’ll ignore the fact that IOTA’s team is developing the protocol to accommodate requirements of the corporate partners and hence some periods of maintenance are justified. I’d like to focus on that claim regarding Bitcoin and Ethereum. DCI has been in cryptoindustry for very little interval of time, they have no renowned experts in their team and hence don’t know about Bitcoin and Ethereum much. The both, Bitcoin and Ethereum, had similar cases several times (e.g. https://bitcoin.org/en/alert/2013-03-11-chain-fork, https://www.coindesk.com/ethereum-executes-blockchain-hard-fork-return-dao-investor-funds/). I advice DCI emplyees to read about those cases and stop spreading misinformation. Coordinator issue is a well-known issue which was explained numerous times. The fact that DCI employees hasn’t understood it makes me think they are not familiar with standard security precautions used in the cryptoindustry (https://en.bitcoin.it/wiki/Checkpoint_Lockin), I find their lack of expertise deeply alarming.
Orcutt’s claim that IOTA is free of fees is misleading. Though perhaps not immediately obvious, IOTA transactions are “zero fee” in exactly the same way that Bitcoin transactions are. An important difference is that Bitcoin has miners who can perform the proof of work for you, while IOTA users do the proof of work on their own devices, per transaction. However, a Bitcoin user can also mine their own block to get their transactions accepted into the blockchain without paying fees. To put it another way, most people wouldn’t be interested in buying a refrigerator operated by a hand crank, even if the advertisement said “No electricity required!”
It’s true that transactions with Bitcoin and other digital currencies, even when amortized over a block with thousands of other transactions, require much more work than transactions in IOTA. However, the claim is not that IOTA transactions are easier — the claim appears to be that IOTA transactions are free.
Semantics aside, this claim, which appears in IOTA marketing materials, is deceptive; the work required is a fee, whether or not it requires a monetary payment. Restricting the ways in which the fee can be paid — requiring that the work be done on a user’s own device — doesn’t make it go away.
We all know the second law of thermodynamics and that it will likely lead to the heat death of the universe. If you walk into a bar and someone buys you a drink you will still do some work to take the glass. Will that drink be free? This is what DCI is arguing about. While I like philosophical contemplations I find their argument about work being fee ridiculous. And the way of their thinking — deeply alarming.
Once the Digital Currency Initiative published the break in IOTA’s curl hash function, its author, Sergey Ivancheglo, offered two conflicting explanations for the vulnerability.
The first explanation was that the flaw was intentional — that it was meant to serve as a form of “copy protection.” If anyone used this code in their own work, he said, the IOTA developers would be able to exploit the flaw and damage other systems that were using the hash function. However, later, he offered a conflicting explanation that he didn’t write the curl at all, but that an AI wrote it.
We do not find either of these explanations convincing, even in isolation. That they contradict each other makes them even less so.
I’d like to note that the quote contains incorrect information. My original words were: “IOTA team welcomes attempts to use technology IOTA is based on. This helps IOTA because increases awareness and shows that Tangle is indeed a viable technology. Unfortunately, odds that copies of IOTA codebase will be used for good are very low. We can’t just watch an IOTA clone scamming people and ruining people lives and Tangle’s reputation. This is why a copy-protection mechanism was added from the very beginning.” DCI using “anyone” changed the original meaning.
Here are my words related to the AI part: “While de-jure I can say that it was me who created Curl-P, de-facto it was created by a primitive AI created by me.” Curl-P security can be decreased by decreasing number of rounds, this is a standard technique used in Cryptography. The AI created Curl-P and I chose the number of rounds, I don’t see the contradiction.
If DCI wants to return to the question of the “vulnerability” then I’d like to remind that https://github.com/mit-dci/tangled-curl still hasn’t been updated to contain the code allowing to verify independently that the attack found by Neha Narula’s team can be applied to anyone except that IOTA address handpicked by Ethan Heilman. I asked to provide the code numerous times and was ignored, others asked for that and were ignored too. I find this deeply alarming because inability to provide a proof of their claim supports my suspicions that Neha Narula and Ethan Heilman from Digital Currency Initiative conducted an academic fraud aiming to support their defamations against IOTA community.