Using Signed Message as Proof of Authentication / Participation

[zenrol28]

Some Bounty Managers are starting to use "Google Forms" as an alternative to get a participant's report. The only problem is that BMs can't verify if the participant is the actual owner of the BTCT account linked to the report. So they require a "Proof of Authentication / Participation" in the Bounty Thread as a proof of their ownership. Now, the thing is, other participants (maybe bots) still make a report post even the Report Forms are available on the OP resulting in a spam of reports instead of having only "Proof of Authentication / Participation". A solution I can see is having a "Signed Message" instead of PoA.

Q: Why a signed message?
A: Because this proves that we own the address' private wallet.

Q: What address should we use?
A: BTC of course!

Q: Why BTC?
A: Because it has a special place in our profile.


I made signed message

Code:

-----BEGIN BITCOIN SIGNED MESSAGE-----
October 13, 2018, 02:47:40 PM
Username: zenrol28
Profile Link: https://bitcointalk.org/index.php?action=profile;u=1232224
Rank: Member
ETH address: 0x0f9740Fe0b437D06E0BA46Cd8835c9E00Ee8E412

Twitter
Link: https://twitter.com/lorenznerol
Followers: 2900

Facebook:
Link: https://www.facebook.com/takasukun
Friends: 2200

Telegram
Link: https://t.me/zenrol28

Medium
Link: https://medium.com/@zenrol28

Reddit
Link: https://www.reddit.com/user/zenrol28

Youtube
Link: https://www.youtube.com/channel/UCAqKGZMU-AeHcFU9dn1Htdw
-----BEGIN SIGNATURE-----
1BitoyExzSfjgccUFMLzNSHkJBVV1tLdju
HO3kdAq8M4Ug7agnFYevVyBTsVgUUYLdC1kvc3hi3iA/G1ZHoWFc2B5i3l4zY0Qv0jFYHEMRpw/Cp+w1bNt+DrY=
-----END BITCOIN SIGNED MESSAGE-----

Now I had proved the ownership of my BTCT account and linked them to my social media profiles and Altcoin address without having to post a PoA. This is just an example, managers have their own requirements on what they need to see in the signed message. All I need to do now is to submit this into the bounty campaign thread's registration from. Now anyone can join a campaign even the thread is lock so no one can make a spam on it.

This will also make the participants to actually learn on how to use Bitcoin and its feature.

The problem i can see in short term is a locked thread will be easily buried down. Maybe a daily bump-and-lock-again for a while can work. In the long run, if all managers will do this, we will see a much cleaner bounties section. Where we can see new campaigns on the top, hot campaigns with a lot views and no spam at all. I don't know if this had been done before, but if not, this should be, as the community grows in numbers and knowledge.

Source:
Where to run a spam free bounty campaign? [new board?]
How to sign a message?!
Added (found out someone already suggested this idea a month ago)
https://bitcointalk.org/index.php?topic=5026052.msg45632698#msg45632698

[1714191502]

1714191502

[LoyceV]

Some Bounty Managers are starting to use "Google Forms" as an alternative to get a participant's report. The only problem is that BMs can't verify if the participant is the actual owner of the BTCT account linked to the report. So they require a "Proof of Authentication / Participation" in the Bounty Thread as a proof of their ownership.

This can work. An easier solution is to just scrape the ethereum address from the Location field in the profile. A simple script can do that, and even Google Sheets can be automated to do this.
However, these are technical solutions for something that's not a problem at all for the campaign: they love and need spam in their topics, to stay on top. The more spam their thread receives, the more money they earn. It's a terrible incentive, and as long as those spammers aren't nuked by the thousands, they'll keep doing this.

The problem i can see in short term is a locked thread will be easily buried down. Maybe a daily bump-and-lock-again for a while can work. In the long run, if all managers will do this, we will see a much cleaner bounties section. Where we can see new campaigns on the top, hot campaigns with a lot views and no spam at all. I don't know if this had been done before, but if not, this should be, as the community grows in numbers and knowledge.

The "problem" is: theymos believes in freedom! And as much as I appreciate that, it turned the bounty section into a board where the biggest spammer wins. Without drastic changes, that won't change.
Any decent campaign that doesn't spam, simply can't survive in the current bounty section.

[Quickseller]

If you are referring to forcing someone who is participating in say a Twitter campaign to prove who their bitcointalk account is via a signed message, I see little value in this. I also see little value in forcing someone to post in a thread to prove the same.

Someone having a certain rank bitcointalk account will not affect the effectiveness of the Twitter advertising.

[jacee]

Even with your suggestion to require users to give a signed message, this doesn't solve/prevent multiple account users (even bots) to join the same campaign. That, still allow users to spam. Creating a new BTC wallet and signing it is easier than you think.

Btw, iirc you can also sign your ethereum wallet and prove ownership of it.

[Quickseller]

Even with your suggestion to require users to give a signed message, this doesn't solve/prevent multiple account users (even bots) to join the same campaign.

Do you care to explain why this is a problem? If one person uses two Twitter accounts in a Twitter campaign, the advertiser still gets the same amount of advertising as if the accounts were run by two people.

If there is overlap in the followers, this might need to be addressed, however having multiple accounts doesn’t affect this.

I fully understand why bounty managers push this — fighting against one person enrolling with multiple accounts will give legitimacy to the high price they charge for their services. However they are very much not acting in the best interest of their customers. One might even argue they are harming their customers.

[bluefirecorp_]

Wasn't there a vulnerability which weakened the security of the private key when the same message was sent twice?

Or was that just poor implementations of the protocol?

[Quickseller]

Wasn't there a vulnerability which weakened the security of the private key when the same message was sent twice?

Or was that just poor implementations of the protocol?

Signing a message means you have incremental loss of security. However this is nominal and realistically won’t lead to the compromise of a private key.

[bluefirecorp_]

x

Signing a message means you have incremental loss of security. However this is nominal and realistically won’t lead to the compromise of a private key.

Mind giving me a link to a technical source explaining how it's nominal? When you start talking about weakening cryptography, you start scaring me. ._.

[MainIbem]

The back staff of the campaign manager ought to have someone whose duty it is to do a validation of authentication of enrolled participants. That way it is simpler. To begin to encrypt signed messages and others makes such exercise cumbersome. And above all, it does not stop the abuse as noted from earlier posts.

[SFR10]

A solution I can see is having a "Signed Message" instead of PoA.

I like it + I see it as a solution for the following thread (to an extent [e.g. Users/bots/haters applying with someone else's address]): A question regarding duplicate/alt accounts that join bounties!

An easier solution is to just scrape the ethereum address from the Location field in the profile. A simple script can do that, and even Google Sheets can be automated to do this.

Normally "yes" but that could lead to faulty results (the above linked thread).

[The Cryptovator]

It will be little bit complicated for bounty hunters. I don't think more than 20% people's have signed message on bitcointalk. Managers could allow proof authonication post, I can't see much problem with that. Main problem is about great project and weekly report. Only few manager has been collecting bounty report by Google sheet. That's why I have asked for guidelines for bounty managers. Other wise it will not possible to control spam. If there isn't any guidelines for bounty managers than they will not encourage for manage spam free campaign. Why they will spend hard time if there is no force from forum. Why they will care about spam?

[zenrol28]

However, these are technical solutions for something that's not a problem at all for the campaign: they love and need spam in their topics, to stay on top. The more spam their thread receives, the more money they earn. It's a terrible incentive, and as long as those spammers aren't nuked by the thousands, they'll keep doing this.

I don't have any idea regarding how BMs are being paid. I just thought that they'll receive a certain percentage from the amount raised during ICO regardless of the number of bounty participants.

The "problem" is: theymos believes in freedom! And as much as I appreciate that, it turned the bounty section into a board where the biggest spammer wins. Without drastic changes, that won't change.
Any decent campaign that doesn't spam, simply can't survive in the current bounty section.

Abusing freedom is not good anymore, I think we should draw the line how far can our freedom be without affecting the community. Yes, a decent campaign that has no spam can hardly survive the bounty section's status atm. But it doesn't mean that it's not worth to try it. Change cannot be done as simply as that. 

If you are referring to forcing someone who is participating in say a Twitter campaign to prove who their bitcointalk account is via a signed message, I see little value in this. I also see little value in forcing someone to post in a thread to prove the same.

Someone having a certain rank bitcointalk account will not affect the effectiveness of the Twitter advertising.

https://bitcointalk.org/index.php?topic=2408654
This campaign was abused by cheaters because of not requiring PoA aside from the signature campaign and Facebook which required a report post.
Cheaters used dead BTCT accounts and link it to their social media accounts.
Like this one:
https://bitcointalk.org/index.php?action=profile;u=405569 (account inactive since August 11, 2015, 02:02:43 PM)
But this he/she joined this campaign and rewarded.
https://docs.google.com/spreadsheets/d/1JbpaBlLAXmjs3AAZGmwcBvbxw6RmTaeAEMmDSe3rnqM/edit#gid=647702196 (Twitter campaign row #570)
and there are a lot of them there.

This signed message method that I'm telling can also be used in signature campaign registration too. There are a lot of things that this signed messaging can be used. It's such a waste if we just ignore it.

Even with your suggestion to require users to give a signed message, this doesn't solve/prevent multiple account users (even bots) to join the same campaign. That, still allow users to spam. Creating a new BTC wallet and signing it is easier than you think.

Btw, iirc you can also sign your ethereum wallet and prove ownership of it.

Absolutely, this cannot stop multi-account users, but this can cause a lot of hassle to them unlike on those who play fair.
And yes, we can make a signed message on other crypto currencies, but i preferred BTC, because, hey this is bitcointalk btw. If majority of the members here didn't manage to have their own bitcoin wallet then i think they learned nothing from here.

The back staff of the campaign manager ought to have someone whose duty it is to do a validation of authentication of enrolled participants. That way it is simpler. To begin to encrypt signed messages and others makes such exercise cumbersome. And above all, it does not stop the abuse as noted from earlier posts.

It will be simpler for participants but harder for the managers. I think both should have benefits. I didn't had any hassle when I made my signed message. I don't think it's cumbersome to have this signed message method if this means lessening spam in the forum even a little. Practicing this method can also be helpful irl use cases.