killerstorm (OP)
Legendary
Offline
Activity: 1022
Merit: 1033
|
|
April 26, 2013, 11:43:59 PM |
|
As far as I am aware there are no known vulnerabilities. It's just FUD. May I ask you what's your qualification? Forum bullshitter? There's a huge number of PPCoins traded daily and they are worth over 30 cents, if there was some known exploit it would have been carried out.
Do you even understand what kind of "exploit" we are talking about?
|
|
|
|
jubalix
Legendary
Offline
Activity: 2632
Merit: 1023
|
|
April 27, 2013, 03:06:23 AM |
|
is all the ppc code os?
if so can't you just read through the code?
Yes. Everything is open source. However, recreating the design documents from the source code is like trying to learn about civil engineering from looking at how people build bridges. Really??? I have found the opposite its only be reading and running parts of the code I can actually understand whats going on..... the design docs are often not spot on/not useful. you can learn civil by looking at bridges!!!
|
|
|
|
pyra-proxy
|
|
April 27, 2013, 03:10:51 AM |
|
is all the ppc code os?
if so can't you just read through the code?
Yes. Everything is open source. However, recreating the design documents from the source code is like trying to learn about civil engineering from looking at how people build bridges. Really??? I have found the opposite its only be reading and running parts of the code I can actually understand whats going on..... the design docs are often not spot on/not useful. And can be intentionally misleading if you know that's where most will go to find the data.... the source is the only for sure way but we all understand that not everyone can read code or even all the numerous languages out there but if you can its the way togo. Then there are those of us too lazy to care and are just happy with a working system who hope someone more motivated will look out for us lol :-)
|
|
|
|
Jutarul
Donator
Legendary
Offline
Activity: 994
Merit: 1000
|
|
April 27, 2013, 03:19:07 AM |
|
Yes. Everything is open source. However, recreating the design documents from the source code is like trying to learn about civil engineering from looking at how people build bridges.
Really??? I have found the opposite its only be reading and running parts of the code I can actually understand whats going on..... the design docs are often not spot on/not useful. Please feel encouraged to help create design documents based on the source code. I'll be available to revise them. There are many important aspects about a cryptocurrency which are not readily available from the source code. E.g. Sunny chose to use a POW mining reward as a function of difficulty^4. What is the rationale for that? Ideally Sunny would have at least performed a calculation to derive good parameters. Unless many things are just random - but that would not qualify as design. you can learn civil by looking at bridges!!!
Good luck trying to assess design flaws this way.
|
|
|
|
jubalix
Legendary
Offline
Activity: 2632
Merit: 1023
|
|
April 27, 2013, 05:55:49 AM |
|
Yes. Everything is open source. However, recreating the design documents from the source code is like trying to learn about civil engineering from looking at how people build bridges.
Really??? I have found the opposite its only be reading and running parts of the code I can actually understand whats going on..... the design docs are often not spot on/not useful. Please feel encouraged to help create design documents based on the source code. I'll be available to revise them. There are many important aspects about a cryptocurrency which are not readily available from the source code. E.g. Sunny chose to use a POW mining reward as a function of difficulty^4. What is the rationale for that? Ideally Sunny would have at least performed a calculation to derive good parameters. Unless many things are just random - but that would not qualify as design. you can learn civil by looking at bridges!!!
Good luck trying to assess design flaws this way. well, you can by NDT and other mechanisims, however os code is much different, I can go to the guts of every piece and test it individually... what I usually do is rip out class by class, function by function and put in test rig code and throw generated (rather extreme) parameters at it to see if it behaves as expected and out a whole load of debug exceptions so you can verify your understanding.... I'm not sure what other people do....
|
|
|
|
Luckybit
|
|
April 30, 2013, 12:56:46 PM |
|
I really think the best thing Sunny King could do for the development of proof of stake currency is to discuss the potential weaknesses of the current system, what is currently done to combat those, and what ideas he might have for the future. I'd like to get involved, but I feel there's not enough clear information out there for me to get a good grasp of how the current implementation works and where its weaknesses may lie. I'd be extremely interested to read about this and I think proof of stake cryptocurrency is a worthy cause and, if done right, I imagine it could have both efficiency and security advantages over traditional proof of stake coins.
As far as I am aware there are no known vulnerabilities. It's just FUD. There's a huge number of PPCoins traded daily and they are worth over 30 cents, if there was some known exploit it would have been carried out. ... Uh, what? You could have said the exact same thing about Terracoin until quite recently, when the known exploit WAS carried out. You could have said the same thing about BITCOIN until the external dependency bug that caused the blockchain to split in 2... You would make a very poor software engineer if your security analysis was based on "Well, people are using it, and it works fine, so let's not even address this known method of attack simply because it hasn't happened yet." "If it ain't broke, don't fix it" doesn't work because we are trying to plan for things that might break, i.e. obvious vulnerabilities that could be taken advantage of in a realistic situation. Some people fail to understand the direct seriousness of this kind of design and programming. Peoples lives could hang in the balance of Bitcoin or alt currencies working. It's understandable that PPC doesn't work because it's not 1.0 and it's not even claimed to be a working product by Sunny King. It's in the beta phase and it's in that phase where all securities issues must be addressed. If the code is not documented then Sunny King is going to have to comb through every line and comment it. It's very important that his code be audited and he wont get maximal adoption if it's not. Many of us can read the code but if it's not commented then we don't know what it's SUPPOSED to do to check it against what it actually is doing.
|
|
|
|
Luckybit
|
|
April 30, 2013, 12:58:43 PM |
|
I really think the best thing Sunny King could do for the development of proof of stake currency is to discuss the potential weaknesses of the current system, what is currently done to combat those, and what ideas he might have for the future. I'd like to get involved, but I feel there's not enough clear information out there for me to get a good grasp of how the current implementation works and where its weaknesses may lie. I'd be extremely interested to read about this and I think proof of stake cryptocurrency is a worthy cause and, if done right, I imagine it could have both efficiency and security advantages over traditional proof of stake coins.
As far as I am aware there are no known vulnerabilities. It's just FUD. There's a huge number of PPCoins traded daily and they are worth over 30 cents, if there was some known exploit it would have been carried out. ... Uh, what? You could have said the exact same thing about Terracoin until quite recently, when the known exploit WAS carried out. You could have said the same thing about BITCOIN until the external dependency bug that caused the blockchain to split in 2... You would make a very poor software engineer if your security analysis was based on "Well, people are using it, and it works fine, so let's not even address this known method of attack simply because it hasn't happened yet." "If it ain't broke, don't fix it" doesn't work because we are trying to plan for things that might break, i.e. obvious vulnerabilities that could be taken advantage of in a realistic situation. The Terracoin saga backs up what I am saying. It's called empirical justification. People were at one point deliberately attacking Terracoin and trying to do double spends. You think they weren't trying to attack PPCoin either? Of course they were. Terracoin also crumbled under the pressure of ASICs. Do you think those ASICs decided not to bother mining PPCoin? PPCoin has stood up to every challenge thrown at it so far. At the end of the day, empirically withstanding testing 'out in the wild' breeds confidence... it's what Bitcoin has had to do. Despite all the papers and discussions on it, there is no mathematical proof that the entire Bitcoin protocol is fail-safe. And no-one said "if it ain't broke, don't fix it', your reading comprehension is awful, so please spare me the condescension. And as for, "let's not even address this known method of attack", try reading my first sentence again and ask yourself why you're trying to say that to me. Theoretical attacks are as important for consideration as practical attacks. Yes practical attacks should be addressed first but theoretical attacks must ultimately be addressed.
|
|
|
|
Luckybit
|
|
April 30, 2013, 01:21:40 PM |
|
is all the ppc code os?
if so can't you just read through the code?
Yes. Everything is open source. However, recreating the design documents from the source code is like trying to learn about civil engineering from looking at how people build bridges. Really??? I have found the opposite its only be reading and running parts of the code I can actually understand whats going on..... the design docs are often not spot on/not useful. you can learn civil by looking at bridges!!! Yes but you cannot audit code that way. There is a difference. A security audit of code requires clear commenting and documentation of what everything does because even a slight variation or stray from that could be a major security hole. Consider that software are just algorithms and if something works it should be able to be mapped out as an algorithm on paper. So the people saying the equations must work are absolutely correct. Then when we get the source code we can compare the source code to the equations and algorithmic proofs to determine it works as intended. Without the algorithms, equations, etc, without the documentation of what everything does, it's much harder to audit. To audit you want the maximum number of eyes looking at it and understanding it which requires clean and clear documentation of both the source code and the blueprint the algorithms and equations behind that.
|
|
|
|
TsuyokuNaritai
|
|
April 30, 2013, 03:05:53 PM |
|
If the code is not documented then Sunny King is going to have to comb through every line and comment it. It's very important that his code be audited and he wont get maximal adoption if it's not. Many of us can read the code but if it's not commented then we don't know what it's SUPPOSED to do to check it against what it actually is doing.
I haven't seen the source code. Are you telling me it's uncommented? If so, this is a big deal. I would sell all my PPC today and not touch it again with a 10 yard cattle-prod.
|
|
|
|
tacotime
Legendary
Offline
Activity: 1484
Merit: 1005
|
|
April 30, 2013, 03:32:50 PM |
|
It's commented, just vaguely eg "This fragment of code does this"
|
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
|
|
|
TsuyokuNaritai
|
|
April 30, 2013, 04:00:04 PM |
|
It's commented, just vaguely eg "This fragment of code does this"
Still not happy. Especially with a project like this. What's Sunny King's programming background? He's obviously brilliantly talented, but has he done many professional projects, or coded much in a team?
|
|
|
|
killerstorm (OP)
Legendary
Offline
Activity: 1022
Merit: 1033
|
|
April 30, 2013, 04:34:56 PM |
|
I've just looked through code of version 0.3... Problem isn't in a lack of comments... If you have a couple of days you can easily figure out how it works. (Some comments are present, by the way.) Problem is that the flaw I outlined back in August on 2012: https://bitcointalk.org/index.php?topic=102342.msg1139483#msg1139483Sunny changed weighting a bit, so numbers will be different. But idea is the same: it is secure only if number of active stake coins is large.
|
|
|
|
Etlase2
|
|
April 30, 2013, 04:36:28 PM |
|
killer, I'd like to hear your input on the newest decrits proposal. It's everything proof of stake wishes it could be.
|
|
|
|
killerstorm (OP)
Legendary
Offline
Activity: 1022
Merit: 1033
|
|
April 30, 2013, 09:57:59 PM |
|
killer, I'd like to hear your input on the newest decrits proposal. It's everything proof of stake wishes it could be. Sure, when I'll get a round tuit
|
|
|
|
|