You are viewing a single comment's thread from:
RE: IOTA vs MIT - A deep dive - Programmer explains
The biggest red flag that makes me question the competence of the IOTA developer(s) is that they "removed a part of the copy protection mechanism which became useless once details of its work had become known to others". That sounds like they were relying on "security through obscurity". An absolute no-go. Another one is that they claim something is impossible in practice because it requires the user to be tricked into running arbitrary code... that happens all the time.
The system was never insecure by this copy-protection mechanism, because all transactions are currently routed through the Coordinator which checks for this specific attack (by design). Someone who copied the open source IOTA protocol code would not have the Coordinator to protect them, so their protocol would have been vulnerable to this type of attack (hence why this was a copy protection mechanism).
Once the MIT team discovered and revealed the details of the attack, there was no need to leave that mechanism in place since anyone copying the protocol would now know to check for the vulnerability.
Their point isn't that it makes the attack impossible but that it makes the attack impractical. If you can trick the user into running arbitrary code then there is no reason to create fake transactions - you can just steal their seed and move the funds regardless.