Show Posts
SCAM ALERT!
DO NOT PUT ANY MONEY INTO THIS COIN!
Read the whole post to understand! Some things may be technical at first, but I hope everyone will understand.
I have been silently reading the previous announcement thread since a few weeks now and have to say I'm surprised by how many people think this "coin" will yield anything good. Why do I think so follows:
- Centralized architecture, it's a huge red flag already. Devs can manipulate coin amount anytime they want. They can issue new coins from nothing. (The coin amount counter is running on their server, that data means nothing.) Given this much control they can manipulate the price any way they want, the fact they didn't do it just shows their incompetence in this field. Seriously, they could be rich already. The "blockchain" viewer also runs on their server, same here, it cannot be trusted. By the way, there isn't even a blockchain probably. It would make no sense with this setup. It's just a plain old database with the syncs stored. There are other problems with centralization though: a DDoS could bring the entire system down. (Currently, I would bet 90 % the server doesn't have DDoS protection.) A hacker could get into the server, issue random coins to random accounts, delete everything from the database (yeah, there are backups probably (if there are lol), but the outage and rollback would still be disastrous if the "coin" would get popular). They could also leak all user data depending on what is stored. Some simple misconfiguration could also bring the system down. Such an environment should be extremely robust. And I didn't even mention scaling: if this would get very popular, it would need scaling and since you're dealing with transactions and syncs you can't go NoSQL. Transaction management in a high-scale environment is really hard, banks have dedicated teams to do it.
- Syncs - wait what??? So without any kind of proof I can get stuff worth money? Hell yeah! Before you say it's mining: No, it isn't! There's an app checking accelerometer data and sending the server how much movement occurred. How about faking accelerometer data? Actually, since code is running on users' devices, it can be altered or fed fake data anytime. No, obfuscation won't help either. There are many ways to defeat it. Let's go through a few! Device software can be modified to provide data what I want. Virtual machines could be spawned to do the same, or some hybrid solution, virtualizing only the app. Possibilities are endless! One can modify the application itself to do what they want. One could create bots by reverse engineering the functionality and writing a program to mimic it. TOR and proxies would give them thousands of individual "miners" generating lots of "coins" every day (even if devs implemented TOR or proxy detection, they can't detect all proxies (see private ones) or one with a small-sized botnet could use totally legit IP addresses which you cannot filter (this is plausible, especially if you think about such groups, they would also have the capacity to maintain a solid bot)). The problem is that there is NO PROOF OF WORK/STAKE/ETC. mechanism. It simply trusts the environment and this is a huge no-go in cryptocurrency.
- The app - Even though I'm no expert in the field, it took me roughly half an hour reading about the APK decompilation process and doing it. Noticed the core parts are in a native library, finally something interesting. I already know why the app has (/had, newest one is said to be stable) so many bugs and crashes reported by other members. Sure, writing it in all Java would have revealed how there is no real proof for validating syncs, but the devs aren't competent enough probably to deal with C or C++ and implement a proper bug-free code natively. No, do not say it's a beta, it's still unacceptable.
- Closed source - Devs say the infrastructure is closed source because if it would be open, scammers would create clones and saturate the market. This is such a ridiculous contradiction.
Devs are the very scammers here. Yes, they say they are honest (why say it anyway? people either trust you or don't), but we cannot know this honesty will keep up later on. Also, what if a new member in the dev team comes and they won't be? This leads to another question - how many devs are there in the team anyway? Two? Three? (In a post one of them said they got another member.) Total lack of transparency. This does nothing good in the cryptocurrency ecosystem among lots of scammers. Also, open sourcing the app would reveal all the flaws I already mentioned.
- Mainly just to make an interesting point: The API - Without knowing much about the details, the API for integrating third-party systems works as follows: First of all, it's not open. You need to contact the dev team, supply them information about the system you're building, you have to prove that you're part of the team that's developing this particular system (read it somewhere on another forum) then you get the documentation which probably entails the following: You need to connect to the central server through some obscure HTTP(S)-based methods. UseCryptos had to integrate this system, that's why it took so long from initial announcement to actually get an up and running system. Why is this bad? First, it really slows down development time if you want to support this "coin", which is not something developers can allow themselves. This results in lower adaption rate as nobody would like to spend time for this specific coin when they can get up and running with all other JSONRPC coins in a few minutes. Bitcoin introduced the JSONRPC API and since lot of other coins are based on that, they too include it. BUT: Other, totally custom coded coins also include this API for the sake of good integration capabilities. They keep up with standards. The thing is, people have already written many wrappers and helper libraries so it really is a breeze to work with. Also, this approvement for every service is good now, but what if you got tens or hundreds of requests a day later? How would you cope with it? Also, since all of these services connect to the same server, making lots of requests, this also will increase server and bandwidth load. Got to scaling again...
- Getting popular - Seriously, I do not care if some people in the early (especially beta) days lose money. Heck, I wouldn't have written up all these (yeah, took a lot of time...) if I didn't think about the future. My problem is mainly the following: The "coin" is aimed at the masses, especially running clubs. These people know nothing about the workings of the system and they trust it. Also, traders on cryptocurrency exchanges put money into it and get scammed by those gaming the system. And here I have to say it again: They cannot secure the system against gaming. The design simply does not allow it. It would need a proper proof algorithm, but in the sense of running and acceleration checking it cannot be designed by our current knowledge (I also was thinking about it, it's a no-go.). One cannot simply trust code running on a user device. No matter how much obfuscation the devs do, if there is big money in it, people will hack it. This is not even something to talk about, it's fact.
- PayPal payout - Simply put, PayPal sees cryptocurrencies as one of its direct concurrency and disables accounts trading coins if it finds out. Even though Mango is not a cryptocurrency, I don't think they'll like it if it gets popular. This would not be a problem, but this option is there to make things simple (people don't have to deal with exchanges) and
I refer to it as "coin", because this is not a coin in terms of standard naming. Not at least here on BitcoinTalk. This site is about cryptocurrencies which have proper cryptographic algorithms to ensure mining hasn't been tampered with. I would rather call it a token if I were to give a description.
DO NOT PUT ANY MONEY INTO THIS COIN!
Read the whole post to understand! Some things may be technical at first, but I hope everyone will understand.
I have been silently reading the previous announcement thread since a few weeks now and have to say I'm surprised by how many people think this "coin" will yield anything good. Why do I think so follows:
- Centralized architecture, it's a huge red flag already. Devs can manipulate coin amount anytime they want. They can issue new coins from nothing. (The coin amount counter is running on their server, that data means nothing.) Given this much control they can manipulate the price any way they want, the fact they didn't do it just shows their incompetence in this field. Seriously, they could be rich already. The "blockchain" viewer also runs on their server, same here, it cannot be trusted. By the way, there isn't even a blockchain probably. It would make no sense with this setup. It's just a plain old database with the syncs stored. There are other problems with centralization though: a DDoS could bring the entire system down. (Currently, I would bet 90 % the server doesn't have DDoS protection.) A hacker could get into the server, issue random coins to random accounts, delete everything from the database (yeah, there are backups probably (if there are lol), but the outage and rollback would still be disastrous if the "coin" would get popular). They could also leak all user data depending on what is stored. Some simple misconfiguration could also bring the system down. Such an environment should be extremely robust. And I didn't even mention scaling: if this would get very popular, it would need scaling and since you're dealing with transactions and syncs you can't go NoSQL. Transaction management in a high-scale environment is really hard, banks have dedicated teams to do it.
- Syncs - wait what??? So without any kind of proof I can get stuff worth money? Hell yeah! Before you say it's mining: No, it isn't! There's an app checking accelerometer data and sending the server how much movement occurred. How about faking accelerometer data? Actually, since code is running on users' devices, it can be altered or fed fake data anytime. No, obfuscation won't help either. There are many ways to defeat it. Let's go through a few! Device software can be modified to provide data what I want. Virtual machines could be spawned to do the same, or some hybrid solution, virtualizing only the app. Possibilities are endless! One can modify the application itself to do what they want. One could create bots by reverse engineering the functionality and writing a program to mimic it. TOR and proxies would give them thousands of individual "miners" generating lots of "coins" every day (even if devs implemented TOR or proxy detection, they can't detect all proxies (see private ones) or one with a small-sized botnet could use totally legit IP addresses which you cannot filter (this is plausible, especially if you think about such groups, they would also have the capacity to maintain a solid bot)). The problem is that there is NO PROOF OF WORK/STAKE/ETC. mechanism. It simply trusts the environment and this is a huge no-go in cryptocurrency.
- The app - Even though I'm no expert in the field, it took me roughly half an hour reading about the APK decompilation process and doing it. Noticed the core parts are in a native library, finally something interesting. I already know why the app has (/had, newest one is said to be stable) so many bugs and crashes reported by other members. Sure, writing it in all Java would have revealed how there is no real proof for validating syncs, but the devs aren't competent enough probably to deal with C or C++ and implement a proper bug-free code natively. No, do not say it's a beta, it's still unacceptable.
- Closed source - Devs say the infrastructure is closed source because if it would be open, scammers would create clones and saturate the market. This is such a ridiculous contradiction.
Devs are the very scammers here. Yes, they say they are honest (why say it anyway? people either trust you or don't), but we cannot know this honesty will keep up later on. Also, what if a new member in the dev team comes and they won't be? This leads to another question - how many devs are there in the team anyway? Two? Three? (In a post one of them said they got another member.) Total lack of transparency. This does nothing good in the cryptocurrency ecosystem among lots of scammers. Also, open sourcing the app would reveal all the flaws I already mentioned.- Mainly just to make an interesting point: The API - Without knowing much about the details, the API for integrating third-party systems works as follows: First of all, it's not open. You need to contact the dev team, supply them information about the system you're building, you have to prove that you're part of the team that's developing this particular system (read it somewhere on another forum) then you get the documentation which probably entails the following: You need to connect to the central server through some obscure HTTP(S)-based methods. UseCryptos had to integrate this system, that's why it took so long from initial announcement to actually get an up and running system. Why is this bad? First, it really slows down development time if you want to support this "coin", which is not something developers can allow themselves. This results in lower adaption rate as nobody would like to spend time for this specific coin when they can get up and running with all other JSONRPC coins in a few minutes. Bitcoin introduced the JSONRPC API and since lot of other coins are based on that, they too include it. BUT: Other, totally custom coded coins also include this API for the sake of good integration capabilities. They keep up with standards. The thing is, people have already written many wrappers and helper libraries so it really is a breeze to work with. Also, this approvement for every service is good now, but what if you got tens or hundreds of requests a day later? How would you cope with it? Also, since all of these services connect to the same server, making lots of requests, this also will increase server and bandwidth load. Got to scaling again...
- Getting popular - Seriously, I do not care if some people in the early (especially beta) days lose money. Heck, I wouldn't have written up all these (yeah, took a lot of time...) if I didn't think about the future. My problem is mainly the following: The "coin" is aimed at the masses, especially running clubs. These people know nothing about the workings of the system and they trust it. Also, traders on cryptocurrency exchanges put money into it and get scammed by those gaming the system. And here I have to say it again: They cannot secure the system against gaming. The design simply does not allow it. It would need a proper proof algorithm, but in the sense of running and acceleration checking it cannot be designed by our current knowledge (I also was thinking about it, it's a no-go.). One cannot simply trust code running on a user device. No matter how much obfuscation the devs do, if there is big money in it, people will hack it. This is not even something to talk about, it's fact.
- PayPal payout - Simply put, PayPal sees cryptocurrencies as one of its direct concurrency and disables accounts trading coins if it finds out. Even though Mango is not a cryptocurrency, I don't think they'll like it if it gets popular. This would not be a problem, but this option is there to make things simple (people don't have to deal with exchanges) and
I refer to it as "coin", because this is not a coin in terms of standard naming. Not at least here on BitcoinTalk. This site is about cryptocurrencies which have proper cryptographic algorithms to ensure mining hasn't been tampered with. I would rather call it a token if I were to give a description.
Some things you say are true, most aren't. Reading up on general purpose tech and having a premise that every system only works on the worst and lowest version of the tech type it uses is just bad. The problems you have mentioned are, simply put, problems that any architecture of that type has. Do you keep your money in a bank or under your bedsheets? Think twice if it's a bank.
But that doesn't mean you can't get the 99% efficiency.
We have invested a lot of money and time into this project, we have been through a lot of bad and nice stuff with our community. If you are indeed someone who has read the old thread, you would know that all the stuff present now will only get better in the future. We said we will move towards open source and decentralization. We delivered before. We will on this as well.
Once the thread gets rolling, we will present our plans.
Please don't mistake our honesty for incompetence.
Made an account just so you can post here?
I said nothing about the worst tech, what I wrote regard to the optimal case. You need top stuff to deliver the expected QoS in case of such a system.
"Think twice if it's a bank." - Yes, I only keep the necessary amount in a bank. But this discussion is not about me, I'm not the average in this case. That's not to say I don't trust a bank. The thing is, in some cases you don't have another option. Also, banks employ top security and reliability experts. They have regulatory obligations. Again, this discussion is not about banks in general, but: Most people don't have security concerns. Just imagine a simple runner as they are the main targets They don't care about the system. They trust it as much as they do with a bank. What bad could happen anyway? - they think. But let's examine the emotional side: A club runs for charity for a month to help raising money, but someone games the system and suddenly their coins are worth nothing.
"Made an account just so you can post here?" - Nope, I read the whole old thread and even posted twice. Those posts were also about security. I simply wanted to post my concerns here as you're extending the coin now. There is no problem with the issues as long as there are about 1000 people using it. That's 1000 * (daily limit) * (BTC trade price) * (BTC/USD price) per day (not considering multi-accounts) and it's not a huge amount. But if it's 100k people and BTC trade price is 100x the current one, it's significant money and it will be worth gaming the system. So yeah, I mainly posted it here so people stumble upon the truth hoping at least they scroll down reading the first page.
@barabbas: The reason I started with "Scam alert" is to get people's attention. Most wouldn't care about a long post otherwise.
@everyone: Reading again, my previous post looks a bit harsh and rude at some places, sorry for that.
