edicted Blog Banner

edicted

WEB2 >> WEB3: Mitigating the Prescient Attack Vector of All Hive Lite Accounts

attackvectorvirus.png

Back in 2017 when Steem was spiking to $8 and shitposts within this community were getting 4-digit dollar payouts, we saw an attack vector emerge from an unlikely source. I forget the name of the Blackhat that did this, but he's not that important to begin with. He figured out how to farm Steemit Incorporated delegations by creating new accounts.

Back then Steemit Inc. was giving something like 30 Steem Power per account in order to have the "bandwidth" to operate on chain. This was before Resource Credits even existed, and it was indeed a bandwidth system that was not as good as resource credits.

1000 SP.jpg 2000 sp.png

I can tell you I was proud of those 1000 coins I acquired.

Now I make 1000 coins every week.
Pretty insane.

But that's not the point.

The point is that using very basic knowledge of the Steem ecosystem, this blackhat was able to create a bot army that Steemit Incorporated was feeding 30 SP per account or whatever it was. Farming accounts in this way only became financially viable when Steem spiked from 10 cents to $8. All of a sudden each farmed account became 80 times more valuable. The 30 SP accounts were added to a bot army that curated/upvoted posts at the blackhat's command.

Again, this all becomes possible when the value of the token spikes up. This is because the bandwidth limitations on this network can not scale up nearly as fast as the price when we enter a mega-bull-run. The value of the token can go x100 before our bandwidth and infrastructure receive any upgrades whatsoever. Thus the amount of bandwidth legitimate users need remains the same, but the dollar cost to delegate new users skyrockets.

The price of transitioning from WEB2

At the risk of saying cliché crypto things, we really need to get innovative and creative with our solutions to these problems. WEB2 has made people soft. It has turned them into cattle or other forms of livestock. They are the product; the data they create is owned by the WEB2 entity that gives them 'free service'.

And thus if we want to get users over here to WEB3 we have to make a transition bridge. It has to LOOK like WEB2 but it has to actually be WEB3 under the surface. We won't be able to strip away the façade of this deception until mainstream adoption comes and the people of this world actually understand that WEB3 means no more free service. When you own your data you are no longer data livestock, but a valuable employee of the network ready to make contributions and get paid for the work.

LEO and SPK network

Both of these networks are trying to do what Steemit Incorporated was doing (sort of). Any frontend or app of Hive needs to onboard users. Onboarding is very difficult because the learning curve for Hive is surprisingly difficult. Perhaps you don't think it is difficult because you thought it was cool and more than willing to do the work (this applies to yours truly), however other, shall we say, lazier users, will not be willing to do the work and will ragequit when they don't get the UX they were expecting.

temper tantrum.jpg

And Thus: Lite Accounts Were Born!

The idea here is that the frontend will act as custodian for the user, holding all their security keys for them on their node, while the new user slowly figures out the platform instead of being hit with a ton of bricks right from day one. It's a good idea, but it needs some work.

We need to be gamifying the experience of learning about keys. We need newbie frontends that don't have full access to everything and slowly unlock different aspects of the platform so all this new WEB3 stuff doesn't overwhelm them. Not only that, this is the attention economy, so we need to be paying users to do these things. There are several ways to do this and some of them even involve a bit of trickery (for example charging the user debt only to take away that debt later as a reward for learning about the platform). However, before we can do any of these things we need to crush the obvious attack vector.

RC delegations

Many devs on Hive think this is going to solve the problem... it's not going to, and it's frustrating that so many devs around here don't seem to understand why. To be fair, it's going to help the problem quite a bit, and it will perhaps even push the problem back even five years so we won't have to deal with it again until that time. But there is a better way of stopping bot armies from farming Hive accounts, and no one has even attempted it or talked about it (except me of course).

The solution is a simple one.

Deceptively simple.

If blackhats are farming Hive accounts because farming Hive accounts have value (RC delegations reduce this value but they do not eliminate the value, especially when Hive is growing exponentially) then... stop letting the blackhat own the accounts. Duh!

Now perhaps a Hive dev would read that sentence and be thinking, "Wow, what an asshole! If we don't let the blackhats own the account then how are we going to let legitimate users own the account? That's the entire point!"

That is, indeed, the crux of the issue.

How do we separate the chaff from the wheat?

abundance.jpg

It's actually quite easy:

Stop giving users their accounts for free! DUH!

But if we stop giving away accounts for free then we lose the WEB2 experience and the transition bridge from WEB2 to WEB3 gets severed. Hive will not achieve mainstream adoption until WEB3 itself goes mainstream and the bridge becomes unnecessary.

Again, another extremely valid point that needs to be manipulated to get the best of both worlds.

Users need the WEB2 experience but they need to pay for WEB3 access. How can we resolve this conflict?

thisisthewaymandalorian.jpg
Ironically, the solution is debt.

We can put new users into debt immediately on account creation without them even knowing they are in debt. How would they know they are in debt? They are noobs. Know nothing noobs who know nothing. They won't mind if we put them into debt.

So every Lite account that gets created will charge new users something like 5 Hive to create their account. This is debt, so the user gets a WEB2 experience. The user did not have to enter their credit card to buy 5 Hive for an account. The user got their account for "free" just like in WEB2. Only a password and email address for 2FA is required, just like WEB2. On the backend the custodian node still owns the WEB3 account and will not release it until they have been paid back in full.

UPGRADE

If a user wants to upgrade their account to WEB3 and gain access to those keys, then they need to pay the 5 Hive debt back to get it. It could even be 10 Hive that they owe back. This would be even better for UX, and I'll explain why.

usurymousetrapfiatdebtslavery.jpeg

It only costs 3 Hive to create an account.

Why would we charge more Hive to users than the cost to create the account? Isn't that greedy? No, it's smart. It's just like on Black Friday when all those companies jack up their prices two weeks before and then lower them on Black Friday to trick the sheep into thinking they are getting a good deal. It's genius really.

If we charge an account 10 Hive in debt on creation, then we can create a gamified experience about learning what Hive is. Perhaps a tutorial is created to teach the noobs what a private posting key is. On completion of the tutorial the user earns 1 or 2 Hive that is credited to their account. Now they owe back less money to upgrade to WEB3.

Same story for learning about the other keys or writing a blog post or how there are dozens of Hive frontends (all with the same login) or how to send and receive money or how curation works or what witnesses are or how the decentralized hive fund works or what powering up means or...

You see, when we actually stack up the learning curve on Hive and WEB3, it really is nothing like WEB2, and this is why people have so much trouble with it. If we want users, we need the transition from WEB2 to WEB3 to not only be painless, but also a fun and gamified experience. The attention economy demands they get paid for providing value to the network. Learning about the network is quite valuable when millions of users are doing it all at once and getting ready for their journey as Hive employees.

greencandlemarketupbull.jpg
Imagine what happens when Hive spikes to $100 a coin.

Let's be honest, 99% of users on this network don't give a flying fuck what happens when Hive is $100, because they just went x100 on their personal stack. They're rich! There are no problems! WEEEEEE! Let's celebrate. Everyone is making 4 to 5 digit figures on their blog posts. Everyone is losing their damn minds just like in 2017.

This is dangerous.

When in reality the price spiking to $100 is actually a way bigger problem for the network than what we have now. Imagine the cost of accounts going to $300. Imagine lowering the cost of accounts to 1 Hive, and it still costs $100 to create an account and even then the burden to the nodes is too high and everything is breaking. There's a reason making an account costs money and we can't "just lower it" and expect zero consequences. That's delusional thinking.

But if we gamify the experience and charge users debt, then imagine how this entire situation gets flipped. All of a sudden a new user learns about the private posting key and they "earn" 1 Hive for doing so. The UX creates a massive positive feedback loop because the user feels like they just earned $100 to learn about a network where they are about to earn a lot more money where that came from. This is a sustainable way of doing things that will generate massive hype and a positive feedback loop that actually can be maintained as we scale up.

xpexperiencepointsux.jpg

UX is your new god now!

The User eXperience of a development like this will have staggering affect. Users will feel like they are making money even though it's all smoke and mirrors. That's exactly what a transition from WEB2 to WEB3 has to be if we want to get that mythical mainstream adoption everyone is talking about.

Demonetizing the blackhats

If blackhats do not get to own the keys to the accounts they create for free, then 99% of them will stop trying to exploit the network in this way. That leaves the remaining 1% who want to fuck with that particular frontend just for the fun of it (or if we have enemies trying to bring it down).

The only way to truly mitigate the attack vector 100% is to create WEB2 accounts that never even create the Hive WEB3 account until they are actually paid for with RCs/Hive. I think the SPK network is working on this concept with Ceramic accounts but I need to look into it more deeply.

However, this is probably not necessary because we already have seen how WEB2 deals with these situations. WEB2 accounts require an email address. These days some of them even require a phone number. Also their are CAPTCHAs everywhere to curb the Sybil attack vector. We can employ all of the same strategies that traditional WEB2 would to mitigate these issues.

Hack pirate flag.png

Conclusion

Viruses are a necessary evil of life, progression, and evolution; be it within a digital landscape or IRL. Without viruses attacking every possible threat vector, we would never be properly incentivized to create robust systems that defend themselves and have saying power. Perhaps it's time for me to buy some Vitamin C, D, and Zinc supplements. Diet and exercise can't hurt either, just like spending the extra time to make a program unassailable is also not a waste of time or resources. Too many devs stumble forward in this space instead of taking the time required to shore up their defenses and clean up the mess behind them.

Thus far, none of the onramps to Hive have any kind of useful onboarding to new users. If it doesn't look and feel like WEB2 then it isn't going to work, but also if users aren't being charged for the upgrade to WEB3 it will be exploited by bot farmers who know these things have value. Again, the solution to this problem is debt and the gamification of our steep learning curve. No one said the transition to WEB3 was going to be an easy one.

Posted Using LeoFinance Beta


Return from WEB2 >> WEB3: Mitigating the Prescient Attack Vector of All Hive Lite Accounts to edicted's Web3 Blog

WEB2 >> WEB3: Mitigating the Prescient Attack Vector of All Hive Lite Accounts was published on and last updated on 05 Apr 2022.