A crypto-trader’s diary — week 8; IOTA is awesome (or is it?)

Alternate title: blockchain schmockchain

David Gilbertson
May 20, 2018 · 13 min read

Welcome to the crypto-trader’s diary, week 8. All prior weeks are here.

Weekly report

To recap: my new plan is to put $500 each week into one particular cryptoasset. Last week it was Bitcoin.

  • Total Invested: $500
  • Current value: $472
  • Profit: not good

I didn’t mention this last week, but I have decided to be open and honest about money stuff, because I wish other people were. I know to some people $500 is a lot and I’m a rich jerk, and to some it’s chicken feed and I’m laughable small fry. But if someone wants to judge me based on dollar figures — rather than on any of my other glaring faults — that’s their problem, not mine.

So a small apology from me if talking about money seems distasteful, but I think it’s useful (and wish I could see the transaction history of everyone sharing their crypto-opinions on the internet).

I spent all of this week reading up on IOTA. The end result was a popcorn overdose and the purchase of $500 worth of IOTA. (Somewhat tentatively, as will become clear as you continue reading.)

Let’s dive in…

The good

I tend to get a bit excited about any new thing I learn (hey, did you know lettuce lasts longer in this little draw at the bottom of the fridge? Incredible!), but I’m pretty sure that IOTA is objectively exciting.

It stands for Internet Of Things and I’m not sure about the A. It’s technologically a very different thing to Bitcoin, Ethereum and all the others.

It’s like if all the different cryptocurrencies were cars driving around, and IOTA was a Tesla — it looks much like all the fuel burning cars, but under the skin is something completely different that will make everything else obsolete.

(Don’t worry, I dial back the fanboyism later on.)

I have a solid 60% understanding of how IOTA works — at the centre of it is a ‘tangle’, in contrast to other cryptocurrencies which have a ‘blockchain’.

A tangle is a different type of Distributed Ledger Technology. A different type of database.

Here’s my explanation: if a blockchain is a rope with knots in it — where each knot is a transaction, a tangle is a net.

Maybe that’s why it’s called a tangle? Perhaps the inventor was stuck in a net as a small child and thought one day I will turn this negative experience into a positive one. Then he rode a dolphin into the sunset and unfortunately into another net, but he escaped from that too and began work on IOTA on the dolphin ride home.

Anyhoo, the use of a tangle means that the throughput limitations that are looming over the other cryptocurrencies are not a problem for IOTA; their TPS has commas in it.

If you would like an intelligent description of the mechanics of IOTA and to hear the words Directed Acyclic Graph, the ebullient Siraj Raval has got you covered with this twenty-six minute YouTube video. That dude’s great.

When someone tells me they have a system where nobody pays, my ears prick up, just like when I hear “honey, I’m home” (I live alone).

Well, as far as I can tell, since I’m the one that has to do the ‘proof of work’ when making a transaction, I’m the one paying — in the form of power usage. I’m essentially playing the role of a blockchain miner.

So, it’s all lies and I am paying, but exactly how much am I paying?

The IOTA folk say that proof of work typically takes 30 seconds on a decent computer. My CPU is decent and draws about 65 W. So 0.000542 KWh to process a transaction. My electricity provider charges $0.29 per KWh, so it will cost me about $0.000157 to make a transaction. Or about 6,400 transactions for a dollar.

Clearly the takeaway here is to make transactions on your phone while plugged into a power point in a cafe. That way they pay the $0.000157 and you walk out fee free.

IOTA is in its infancy, but there’s (at least) one interesting partner, Taipei city, which plans to use IOTA for “digital citizen cards with built-in TangleID”. Sounds great.

There’s also a thing called LASS. They state on their site: “Our team BiiLabs & NCKU DLT Lab offload the sensor data from the cloud to the IOTA Tangle”, and then link to Airbox/PM2.5 with IOTA for more info, which is a site that doesn’t say anything about IOTA.

Then there’s the Ruuvi tag and the IOTA data marketplace, where — right now — you can go and purchase data streaming out of IOT devices all around the world by clicking points on a map.

That’s neato!

The bad

Buckle up, buckeroos!

From what I understand, if IOTA’s tangle is the right way, then Bitcoin’s blockchain is the wrong way.

Is that right? Is this CD vs cassette tape, or Plasma vs LCD? Comments please.

Regardless, why do I think this is a bad thing? Why would I hold such a bold claim against IOTA? And am I going to make a habit of asking, then answering, my own questions?

To be clear, I’m not saying that a bold claim is something that IOTA have done wrong, or should have done differently.

I mention this as a negative because from an investment perspective, bold claims from capable people drive up the price of the asset. And since I’m coming in relatively late to the game, the price already reflects these lofty goals.

This means that if the projections aren’t met to the expectations of the market, the value is likely to go down.

The Tesla analogy continues: shares in Tesla are much, much higher than they ‘should’ be, because the price incorporates a lot of faith in Elon’s ability to pull off his grand vision. If the debt catches up with Tesla, or Musk has a Twitter meltdown and loses his shine, then it might all come crashing down, wiping out a lot of wealth in the process.

So for the price of IOTA to go up (and that’s all I care about), IOTA need to deliver, and then deliver some more on top of that.

As I was researching the technical aspects of IOTA, and getting pretty excited in the process, I thought it might be sensible to go searching for the opposite of the opinions I was forming.

I did my best to reset my opinion before setting of on this contradictory journey; if I went in as a huge fan of IOTA, then I would dismiss any negative information as Fear Uncertainty and Doubt fuelled by jealousy or threatened competition. And then what’s the point in even trying to find differing opinions?

So with that, I sat down in front of Google and searched for things like: “the problem with IOTA” and “why IOTA is shit” and “IOTA will fail”.

And oh my, a completely different world opened up.

As you read the story below, you might like to know that there’s quite a few twists and turns, so if you stop halfway and head straight to the comments, you might wind up looking silly.

Imagine I told you I had hacked your personal bank account in the following manner:

You digitally signed a payment putting $100 into my bank account. I can now use the signature on this payment to authorise a payment where I extract $129,140,263 from your account.

I would forgive you for needing a moment to change your pants.

The quote above is an adaptation of the (alleged) vulnerability MIT found in IOTA, as described in this GitHub repo. MIT outline the timeline of events, including the fact that IOTA has fixed this vulnerability.

But already things get complicated, because maybe that’s not a vulnerability at all, and what do I even mean by “MIT”?

When I picture MIT I picture Dead Poets Society, a fussy old professor with a daunting intellect and ethics a solid as the stones within which he teaches.

Well, the MIT of this story is not quite that MIT.

There appears to be four sides to this love-hate triangle:

  • The IOTA Foundation
  • MIT Technology Review (they ❤ IOTA)
  • MIT Media Lab (they think IOTA and MIT TR are 💩)
  • MIT DCI (they ❤ blockchain and ❤ finding IOTA vulnerabilities)
Thanks for capturing the essence of this next section, Allen Taylor on Unsplash

After the MIT DCI (Digital Currency Initiative) people published the vulnerability, and published a blog post explaining it, some chaps at the MIT Technology Review (which is short for Massachusetts Institute of Technology Technology Review) had some positive things to say about IOTA.

So yes, one MIT team say “gaping hole” and another says “yeah but isn’t it great?!”

In response to this positive article, MIT Media Lab (home to MIT DCI who you will recall from the “gaping hole” comment above), came out with some less positive things to say.

Then the folk at IOTA said hey, mind if we chime in? and did a good job of summarising the whole thing and offering a level-headed rebuttal with a sprinkling of smack talk.

The most interesting thing that IOTA points out in their rebuttal is how many people working for the MIT DCI are Bitcoin developers, or closely related to the project, or other blockchain projects.

If nothing else, it’s a very Bitcoin-friendly team, and IOTA appears to be a serious threat to Bitcoin, so they’re no doubt a juicy target.

This fact doesn’t negate the DCI’s findings in any way, but it’s interesting that they’re not necessarily the impartial observers I first assumed.

Sometimes, when a writer writes, they’re trying to get the reader to agree with them, rather than just laying out facts (I do it all the time). In a newspaper article it might be as subtle as saying “almost 10,000 people were affected” instead of “less than 10,000 people were affected” — same fact, different vibe.

Take, for example, this little snippet from MIT DCI: “the entire IOTA network went down in November, and was completely inoperable for about three days”.

An impartial academic would say “the IOTA network”, not “the entire IOTA network”. An impartial academic would say “was inoperable”, not “was completely inoperable”.

Atticus Finch once told me to, “delete the adjectives and I’d have the facts”. (He forgot to mention adverbs but he had a lot on his mind at the time.) And it seems MIT have been liberal with both of them.

Here’s a quote where MIT attempts to dispute the claim that IOTA transactions are free: “IOTA transactions are “zero fee” in exactly the same way that Bitcoin transactions are”.

This is true if the MIT researchers aren’t capable of doing sums on a calculator.

If a transaction costs $1 on one network, and $0.000157 on another network, I wouldn’t use the phrase ‘exactly the same’, even if it was followed by the word ‘way’.

In my opinion, that falls into the bucket of ‘arguably true but obviously misleading’; not what I would expect from an impartial academic.

But what about this alleged vulnerability?

Well, I’ve obtained exclusive access to this 124 page email trail, by Googling “MIT IOTA”.

The email chain apparently proves that MIT is the bad guy and IOTA the victim, while apparently simultaneously proving that IOTA are the villains and MIT are here to save the day. I guess at least 50% of these people believe what they want to believe.

I should say that I started reading the email chain first, before any of the blog posts about it, and kept flipping in my head as to who was behaving the worst.

I was on team MIT when they said: “A more general point is that you should never roll your own crypto and if you must then it should be submitted for peer review by cryptographers before using it in a security critical application”. This resonated with me because I have known the sort of people that think they’re smarter than everyone else, and even smarter than the collective wisdom of the crowd, and it rarely ends well.

I also like the first third of this sassy quote from MIT on page 17: “We used the lyrics to the 80’s hit single “push it to the limit” in the colliding messages to demonstrate that we fully collide the internal state of curl and thus have arbitrary control over most of the message”.

This brought to mind Nelly’s hit single from 2002: It’s getting hot in here.

At another point the chap from IOTA says “Instead of X = F(A, B) we’ll be using X = F(A, B, C)” and I was like, well duh, my two year old could have worked that out. And he’s a cat.

It’s beyond me why they don’t just do X = F(A, B, C, D, E).

I was swayed even further onto Team MIT when the IOTA person quoted wikipedia and later, stackoverflow. And then went on to mention that the SO commenter had 136,000 points so is clearly legit.

That seemed like a bit of a worry to me. I don’t want to take my car in for a service and see the mechanic on the wikipedia page for ‘engine’. Or go to the doctor and see them on health.stackexchange.com reading “how to fix a sick human”.

I got a third of the way through these emails before I realised that I was forming opinions based on things other than facts. Both sides were getting pretty argumentative and I wasn’t actually understanding the problem being described, I was just wasting my own time and my phone’s battery.

So, I stopped reading the email chain and went looking for articles on both sides that were more at my intelligence level.

Here’s what I can gather…

  • Since the IOTA network is in a bootstrap phase, it currently has a ‘coordinator’ in place to help keep an eye on things. The network doesn’t work without this coordinator, which means no, IOTA isn’t decentralised at the moment.
  • It has been planned since day one for the coordinator to be removed at some point in the future, and no one ever claimed that IOTA was ‘decentralised’ while this coordinator was in place.
  • The scenario described by MIT was sort-of possible, but what they didn’t know was that IOTA’s coordinator would have seen what was going on and blocked that transaction from happening. So in fact it was not a vulnerability at all.
  • What’s more, this ‘vulnerability’ was actually there by design. As you will have realised, without the coordinator, the system is vulnerable to attack, and the coordinator is not part of the IOTA open source code. So if you fork IOTA and start your own competing cryptocurrency (without the coordinator), IOTA can destroy you and everything you hold dear.
  • I don’t believe this vulnerability was public knowledge.
  • Since the plan was to eventually remove the coordinator, the plan must also have been to eventually remove the vulnerability.
  • Speculating now: in IOTA’s back-and-forth with MIT, they were reluctant to give away the secret of this hidden-vulnerability, so failed to plainly say “yes, you found something that looks like a vulnerability, but it’s there on purpose and it won’t work on the IOTA network because the coordinator will block the transaction. Please feel free to give it a crack and you’ll see you’ve got nothing of interest to publish.”
  • Likewise, MIT failed to attempt the attack against the real IOTA network. If they had tried it against the real system (with the coordinator) for some trivial amount of money, then they would have quickly seen “oh, the coordinator is doing something special here because the attack doesn’t work” and none of this drama would have happened. Are there rules against this when it comes to white-hat hacking? Don’t these same rules say something about publishing a blog post titled “Cryptographic vulnerabilities in IOTA” when you haven’t actually demonstrated that the IOTA network is vulnerable?
  • The IOTA people appear to have not foreseen the possibility that someone would find this vulnerability and publish it, or were willing to accept the PR hit that might eventually ensue.

Someone please correct me if I’ve got any of that wrong and I’ll update it immediately.

I have been learning about cryptocurrencies for eight weeks, and learning about IOTA for one week — so consider my opinions worthless.

Regardless, I’m going to put on my stern voice, my Judge Judy hat, and make a ruling:

MIT DCI: you did good finding what looked like a vulnerability, but you really milked it and strayed further into opinion land than I would expect from impartial academics, perhaps as a result of your strong ties to Bitcoin. (And to the real MIT: I’d keep a leash on these entities with MIT in the name behaving in a not very MIT-like manner.)

IOTA: hmmm, I feel like IOTA are partly to blame in all this but can’t put my finger on why I feel this way.

I think building in a vulnerability in order to make any fork of IOTA insecure (if I understand correctly) is asking for reputation damage if and when that vulnerability is discovered.

I also think having a co-founder throwing insults around on social media — deserved or otherwise — is poor form: “Are you incapable of reading?”, “pathetic and ridiculous”, “hypocritical kid”, “you have no life”, and my favourite, “Some random idiot in Spain”.

Don’t get me wrong, I think nice is overrated (I myself am a complete asshole), and I’m fine with a bit of Steve Jobs instead of Bill Gates, but these insults are more Trump than Musk.

I understand the frustration the IOTA team must feel, fending off fake news from formerly-reputable sources like MIT. But I’m not sure an entity can say “our reputation and public perception is of utmost importance to us” yet proudly proclaim “I am ‘blunt’ and brutally honest … If that makes me rude, I’m rude as fuck”.

IOTA might have a smoother PR ride if they pick just one of ‘reputation and public perception’ or ‘rude as fuck’. That is, if the goal is to attract corporate partnerships and foster widespread adoption of this promising technology.

But what the hell do I know. And who the hell asked me anyway?

With all that said, I think IOTA is awesome and I’m excited to see what these early-2018 POCs look like and what Qubic is all about.

Now I will sit back and wait for the friendly comments from people on both sides of the fence congratulating me on my unbiased portrayal of the facts.

There’s two things left unanswered in my mind about the IOTA technology. I’m quite sure they’re addressed somewhere, I just haven’t come across them yet.

  1. If signing a transaction takes 30 seconds on a decent CPU, it could take maybe 10 times that on a low-power IOT device, right? Does that mean a device would be limited to sending one transaction/bundle every 5 minutes? And would live its whole life at 100% CPU? Does this rule out battery powered, lower-power devices?
  2. If bundles/data can be sent without actually exchanging value, why does an IOTA token have a monetary value? Or did I misread that somewhere?

Next week

Next week I’m going to research Litecoin. Assuming this is less of a minefield, I hope to get a better understanding of blockchain mechanics and actually read a white paper (which I feel guilty for not having done yet).

That’s it, thanks for reading!

Week nine can be found here, if you haven’t had enough yet.


how hackers start their afternoons.

David Gilbertson

Written by

I like web stuff.


how hackers start their afternoons.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade