Steemit infrastructure security, scalability, and points of failure
So far so kinda good in the Steemit world, but as those of us who are starting to get addicted to the platform realize, the increased traffic and popularity of the site will bring its own set of issues. Steemit is a startup and it is run by real people using real hardware, resources, and software. Add exponential growth in users, data, and economic value and that’s when things can start breaking down.
Scalability
The first big question is whether Steemit can scale to keep pace with its exponential growth? What level of traffic and content creation and data storage can the infrastructure handle? Just this morning I was having issues loading the site and basic functionality, like filtering tags hasn’t been working.
Security
Since Steemit runs on servers and has a bunch of users and network admins who are mere human beings, it’s reasonable to think the system is vulnerable to hackers. That’s scary because this isn’t Reddit, and we now have accumulating real economic value stored in accounts across the network.
Network security for hosting the site and keeping it live involves a whole bunch of behind-the-scenes activities we’ll likely never really be privy to, but since we’re all stakeholders of varying degree in this fun experiment, it’d be nice to know that there’s serious thought and effort involved in keeping things running safely.
Individual accounts are always as vulnerable as the users themselves, and sometimes we’re just straight-up outwitted by conniving hackers who infiltrate our systems. Steemit involves real money, though, so hacking an account here could mean serious money stolen; for better or worse, we don’t have recourse to calling our banks and crying to get refunded, nor do we have handy FDIC bailouts, so the full onus of securing our accounts is on us. That said, those really running things at Steemit should quickly get 2FA security features in place to help us layer up.
Other Points of Failure
Can courts and governments shut us down? Steemit is a startup that’s clearly crowdsourcing equity investment. This is an awesome idea economically because it’s creating a dedicated community with real interests in seeing it grow as enhanced stakeholders; a warm fuzzy feeling we don’t get from other social media platforms like Facebook, Twitter, or Reddit. But does anyone really understand the legal issues we’re up against?
First of all, what’s our legal jurisdiction? Is Steemit a registered business, are we on the hook for legal compliance where our servers are located? How will the world view our little, but growing, hive? The user community is already spread around the world, and since anyone with some Bitcoin, Bitshares, or Ether can buy in as investors (including shareholders), there’s no way of actually pinning down who owns what in the long run. However, there are a handful of founders and early investors supporting this project, so, clearly, these people can be targeted and their resources made vulnerable.
Finally, this experiment is all about decentralization and openness, censorship is something we censor. What implications does that have for copyright or trademark violations? What happens when one of our users posts material that someone else, or some company, decides violates their IP? It is guaranteed that it is merely just a matter of time before some court orders Steemit to remove content. Then what? Even worse, what happens when some douchebag jihadist posts a marketing pitch for ISIS and the FBI orders it taken down?
Servers and people are always vulnerable and until projects like Maidsafe or other meshnets are operational, we need to plan ahead to make sure we avoid future catastrophe. It would be a disaster if the community exploded along with STEEM’s market cap and we had a single court decision to shut us down wipe out a billion dollars in value.
In terms of website performance our underlying technology can easily scale. The primary database that powers steemit is the C++ code that runs the blockchain. This database is trivially replicated and kept in sync across the globe. (The power of blockchains). The internals are based upon the graphene code which is about as efficient as any database can be. I see no problem with scaling our database or our front end assuming we have steady / predictable growth.
In terms of security, it is something we take very seriously. It is also something that is very difficult. Overall, our security is built on better fundamentals than most other blockchains for the following reasons:
In the event our server is compromised, only users who load compromised HTML from our server are vulnerable. If this were to happen then most users would only have their posting key compromised. Fortunately, this does not compromise their funds. Some smaller set of users who login to do financial transactions with their active key could have it compromised as well.
In the long run, the best security will take the form of a browser plugin that manages your keys and prevents Steemit.com from swaping out the JavaScript that loads your keys and signs messages.
We are taking measures to deploy watchdog bots that automatically detect changes in the deployed HTML and alert us to changes.
Nothing is perfect, but in terms of performance, scalability, and security I am sure our team is up to the task.
What about open sourcing a client? It will give extra credit for users as well give community ability to improve security. Are you going to do this? When?
Glad to see folks thinking ahead! As a lawyer, I'm less concerned about the legal issues you raise and more concerned about the security issues, perhaps because my grasp of the latter is wanting.
Legally, state censorship of Steemit would be incredibly difficult, at least once it reaches sufficient scale. Judges cannot order individuals to do things beyond their control. For instance, a judge cannot legally order me to paint the sky red. And, reversing entries on a sufficiently secure blockchain is the rough digital equivalent of painting the sky red. To the extent that such a reversal is possible at all, it could only be done by a large group of people (called "witnesses" in the Steemit system, I think) acting in concert. Provided that this group is sufficiently large and sufficiently distributed across multiple legal jurisdictions, successful state censorship becomes very, very unlikely.
It's also unlikely that a judge (in the US at least) could compel a person to write code. Code is speech, and speech is Constitutionally protected. So, targeting developers probably isn't a winning strategy for the state either.
Nonetheless there will be community policing and community censorship to some degree via the down voting process. It will be fascinating to see how that works and evolves. I imagine that organizations like ISIS would get down voted to irrelevance, but perhaps not. And perhaps they can find ways of gaming the system to work in their favor.
You may be on Steemit.com but this is just one web wallet for the Steem network which is a decentralized blockchain database built for security and scale with DPOS+POW consensus algorithms. If Steemit's servers go down, the blockchain will keep running and Steem community may access their account from other interfaces. Please read the terms of service and the Steem white paper.
Very well written and well though out. I am very curious to find out the answers to your questions.
Steemit, Inc is not crowdsourcing equity investment. Steemit has mined, purchased, or earned all Steem in its possession. Steemit is a peer on the peer to peer network just like blockchain.info to Bitcoin.
It's nice to see a logical explanation following other precedent. The risk is that none of this has legal clarification yet, so hopefully there aren't unforeseen issues. Steem Power smells like equity investment since it implies some ownership stake and a vesting schedule for funds being locked up.