Rant about EOS low-security launch process

in #eos7 years ago (edited)

EOS lack of standard key generation tool and offline registration instructions this close to launch is an embarassment and a disgrace. Less than a month from the freeze, the only way to generate keys offline relies either on third party tools like this one from @nadejde that require trusting the author or involves goofing around with official nodejs libraries (a big thank you to @eosnewyork for providing this guide). So far the only known ways to register offline involves importing manually the EOS ABI in Mist or using the online MEW contract calls with a dummy private key, and signing the generated blob offline. Above trickery is far beyond the abilities of the general public and I'd be surprised if even 1% of the EOS holders generated their keys using trusted code, and registered them offline.

Key generation is the absolute base of any crypto system and underpins the entire future security model. With the current confusion around EOS registration and its near entire reliance on third party tools and instructions, for all we know many EOS registered wallets could already be compromised due to third party tools eavesdropping on keys, generating them with too little entropy or using a pseudo-random, reproductible key generation process.

As discussed in this very apropos comment in the @eosnewyork thread I linked above, we are heading toward a possible repeat of the IOTA key generation fsck up.

As a very early supporter of Dan's work, I'm deeply disappointed by the careless approach taken by EOS.

Sort:  

I'm sure Dan doesn't intend to keep it this way. Until the main net is launched, we have no idea how key generation will work but I highly doubt it'll be offline generation as even though I'm not an expert in cryptography like Dan, even I can tell that it's poor practice.

I've invested in EOS simply because I love what he's done with bitshares and steem, I see EOS as the next stage in this ongoing development and I trust he'll not screw it up like the IOTA team who have made hundreds of rookie mistakes and don't particularly know what they're doing.

It was interesting to read your story.

Please upvote supporting?

I want to promote #blurt, I hope you will be active there too. blurt blog is growing and its token value has gone up. for the current price of $0.025. hopefully with the power of blurt you can help the community there. thanks @recursive

recursive.png

join blurt https://blurt.world/
I'm also active there https://blurt.blog/@fajarsdq

EOSIO is having negative impact, because of this. Users are getting upset about the matter. They should work on their own, without depending on third parties.

Maybe they are working on this as more upgrades keep coming

And their something's we do after the bad had happened maybe until they find out them selves before measures are taken

Third party security dependent is not help ing the system, EOS should rectify this lapses to enable user have full access to their account.

I hope they're doing something about that already. They better not be so stupid to let this project ruined just because of the lack of security feature when almost all their competitors have it.

I have some bitshares, i have a bit of steem and i do not have eos

that means from an investment standpoint i might be to late but I just cannot bring myself to buy some and then have to go through all the mess described above

on another note, i can see that you are not voting for any witnesses, what would something that would possibly convince you to do so?

and if you just forgot then please just vote for @swisswitness
steemconnect makes that really easy now
https://steemconnect.com/sign/account-witness-vote?witness=swisswitness&approve=1

May require more sophisticated technology. To maintain security. Efforts to improve quality. .

@recursive you were flagged by a worthless gang of trolls, so, I gave you an upvote to counteract it! Enjoy!!

Coin Marketplace

STEEM 0.25
TRX 0.25
JST 0.038
BTC 96978.69
ETH 3375.51
USDT 1.00
SBD 3.54