This article opens my eyes to something I have never even considered before. As someone who has been excited about blockchain technology for some time, I didn't even think about any of these...
This article opens my eyes to something I have never even considered before. As someone who has been excited about blockchain technology for some time, I didn't even think about any of these potential abuses and methods that malicious actors could use to wreak havoc. I've always heard blockchain as being more private, since transactions cannot be tracked etc. But as the article states, once someone knows your wallet id, they can see your entire purchase history. That doesn't make me feel very comfortable at all.
“How will this technology be used to harass and abuse people?” is a form of that question that too often goes unasked
This is something that I, as a software dev really need to start thinking about more often when exploring tech or writing my own software. Evidently, based on the recent examples given in the article, there is a lack of people considering this in my industry.
I've always heard that blockchains are explicitly not private, and that's supposed to be an advantage; everybody can see who owns what. There are projects like monero that are more privacy focused.
I've always heard that blockchains are explicitly not private, and that's supposed to be an advantage; everybody can see who owns what. There are projects like monero that are more privacy focused.
Blockchain transactions are only as private as your public key. The whole point of them is that every single transaction can be traced. If I buy a bitcoin, I can trace its history all the way back...
Blockchain transactions are only as private as your public key. The whole point of them is that every single transaction can be traced. If I buy a bitcoin, I can trace its history all the way back to whoever originally mined it.
I’ve been wondering for a while what the legal implications of blockchain-stored CSAM would be. It could become a means to attack blockchains. Every miner would be in possession of CSAM.
I’ve been wondering for a while what the legal implications of blockchain-stored CSAM would be. It could become a means to attack blockchains. Every miner would be in possession of CSAM.
On the one hand, the thought of this is abhorrent. On the other hand, it would be kind of funny if this is what eventually took down this crypto nonsense.
On the one hand, the thought of this is abhorrent. On the other hand, it would be kind of funny if this is what eventually took down this crypto nonsense.
While blockchain proponents speak about a “future of the web” based around public ledgers, anonymity, and immutability, those of us who have been harassed online look on in horror as obvious vectors for harassment and abuse are overlooked, if not outright touted as features.
This article touches on a much broader argument about immutability that I'm still torn up about. Immutability and decentralization can be very bad. CSAM can be stored there. Other people's...
This article touches on a much broader argument about immutability that I'm still torn up about.
Immutability and decentralization can be very bad. CSAM can be stored there. Other people's personal information can be stored there. Stolen work can be stored there. Just straight-up embarrassing stuff can be stored there.
I've tried to balance these two arguments unsuccessfully. For a while, I thought it could be solved with a restrictive protocol like Gemini - the worst of the bad relies on images, and the best of the good only needs plain text. But something like Gemini still wouldn't prevent images from being hosted [link: that story about using google docs as unlimited file storage], and cutting out the worst of the bad still isn't good enough.
This could be solved if every peer in a distributed system inspected everything before seeding it - but that's simply not scalable.
I don't think the rest of the points are as strong. They all have fairly straightforward solutions. But I do appreciate the article for bringing them up, if just in hope that something like the Slack example will happen - the developers working on these technologies will see these, and move to prevent potential abuses.
Public transactions aren't an inherent aspect of blockchain - just look at Monero (for now?). A good argument could be made that if cryptocurrency is widely adopted it'll be one of the more-popular less-anonymous ones, though.
I wasn't really aware of Airdrops before reading this article, but it does seem like more of a problem with platforms than the protocol itself.
The one address != one individual argument doesn't really hold. Social media platforms are swarming with bots and it's trivial to circumvent ban evasion.
I think the core problems with an immutable, decentralized ledger are unworkable. Not only do you have the cases you mention above which are present even in purely transactional blockchains like...
I've tried to balance these two arguments unsuccessfully.
I think the core problems with an immutable, decentralized ledger are unworkable.
Not only do you have the cases you mention above which are present even in purely transactional blockchains like Bitcoin, as soon as you move to a general purpose blockchain you have to deal with fraudulent transactions where tokens may be ascribed real-world significance which may or may not be present.
Older technologies like torrents can solve most of the positives you describe without forcing people to host the entirety of bad actors actions, forever.
I largely agree with what you're saying here, but I want to examine the framing for just a moment. You're conflating decentralization with immutability, and both with cryptocurrencies. The...
I largely agree with what you're saying here, but I want to examine the framing for just a moment. You're conflating decentralization with immutability, and both with cryptocurrencies. The fundamental mode of cryptocurrencies is not decentralization, but rather trustlessness and financialization; distributed transaction records are required for that, but the explicit technical raison d'etre of Ethereum and its ilk are to turn everything into trustless, public records that can be specuated on and controlled by those who can do the speculation. There is a lot of talk about decentralization in the cryptocurrency space, but the tools they provide do not actually solve the problems that centralized tech has created - namely fragility, lock-in, and draconian control. If anything, they make those problem worse; because bugs in smart contract systems can't be fixed without huge costs, because it's easy to construct smart contracts that make put the issuer squarely in control, and because it's not actually possible to meaningfully move objects between chains, they only make these problems worse.
There is a famous phrase in the field of cybernetics: "The purpose of a system is what it does." Cryptocurrency and consensus VMs make software development more expensive and difficult, make user data less private and more exploitable, and provide a platform for the wealthy to further leverage that wealth against the rest of us. That is what they do and that is what they are for.
There is a great deal of promise in decentralized technology which is actually designed to decentralize power, rather than to centralize it on a platform which happens to rely on distributed consensus. Mastodon is a great example of this - no, it is not a perfect system, but it does successfully decentralize moderation power in microblogging, which was its intent. As a consequence, it allows communities like lgbt.social and plural.cafe, whose moderation policies are meant to advantage and protect groups that larger platforms like Twitter and Facebook don't care about, to exist without being cut off from other groups of users. It also allows people to protect themselves more effectively against bad actors; there are a lot of far-right assholes "on Mastodon", but I never have to interact with them, and they can't really interact with me, because my community is small enough that its admins are empowered to successfully moderate away those bad actors.
Cryptocurrency cannot do this, and frankly, does not even really try.
Yeah, I'm basically ignoring cryptocurrency here to focus on the specific decentralization + immutability behind blockchain, IPFS, and torrents. But that's one part of cryptocurrency abuse that I...
Yeah, I'm basically ignoring cryptocurrency here to focus on the specific decentralization + immutability behind blockchain, IPFS, and torrents. But that's one part of cryptocurrency abuse that I don't see a clear answer to.
I don't intend to conflict decentralization with immutability - I'm saying the specific type of decentralization the blockchain uses causes immutability, and is really similar to other decentralization systems that also provide immutability (torrents, IPFS). Mastodon federation is interesting because it does away with over/under moderation (just find an instance you like) but it doesn't really provide the other goods of immutability.
Yeah, that totally makes sense. I do think that the idea of immutability is something of a red herring, but systems like IPFS and torrents definitely have their uses! I wish we as an industry and...
Yeah, that totally makes sense. I do think that the idea of immutability is something of a red herring, but systems like IPFS and torrents definitely have their uses! I wish we as an industry and culture could get better at accepting that some tech is better for some things, and others for others; many of these projects go astray by billing themselves as the ultimate solution to all the problems of the 'net, or even of society.
I haven't done anything with NFT's, but I'm guessing the main thing preventing abuse is that transactions cost money (gas fees). Etherium fees are >$100 per transaction. It seems like a lot to...
I haven't done anything with NFT's, but I'm guessing the main thing preventing abuse is that transactions cost money (gas fees). Etherium fees are >$100 per transaction. It seems like a lot to send a nastygram, unlike social networks where sending messages to strangers is free.
So I'm wondering if airdrops for NFT's are really a thing, which cryptocurrency is used, and how much it costs?
An Ethereum smart contract is a piece of code that runs on the Ethereum VM; that is, everything it does has to be agreed upon by the people who validate Ethereum transactions. Generally, it has...
An Ethereum smart contract is a piece of code that runs on the Ethereum VM; that is, everything it does has to be agreed upon by the people who validate Ethereum transactions. Generally, it has one or more owners and one or more parties to the contract, and it can only act when some party to the contract spends gas (which is paid out to the validators executing the contract) to make something happen with it.
An example of a normal NFT smart contract might amount to, in English:
NFT Contract Description
This is a smart contract relating to an object. At any one time it has an author and an owner. When it is created, the author is also the owner. The author cannot be changed.
One type of action the owner can take is called listing the object. When the owner lists the object, it gains a property called the price, which is set by the owner.
One type of action the owner can take is called delisting the object. The object can be delisted if and only if it has a price. When the owner delists the object, it no longer has a price.
One type of action the object can execute is called buying the object. The object can be bought if and only if it has a price. Anyone can choose to buy the object. That person is now an ephemeral party called the buyer. The owner is now an ephemeral party called the seller. The buyer ETH to the contract in an amount equal to the price. The author is paid 10% of the ETH in this contract. The seller is paid all remaining ETH in this contract. The buyer is now the owner. The ephemeral roles are removed. The contract now has no price.
One type of action the owner can take is called disavowing the object. When the owner disavows the object, the object no longer has a price nor an owner.
This is fine; you can list and delist your NFTs, and when you sell them, you get 90% of the price and the author gets a royalty of 10%.
But consider the following modification to the contract:
NFT Contract Description
This is a smart contract relating to an object. At any one time it has an author and an owner. When it is created, the owner is [VICTIM ETH WALLET]. The author cannot be changed.
One type of action the owner can take is called listing the object. When the owner lists the object, it gains a property called the price, which is set by the owner, and the owner sends ETH in the amount of their wallet contents to the author.
One type of action the owner can take is called delisting the object. The object can be delisted if and only if it has a price. When the owner delists the object, it no longer has a price, and the owner sends ETH in the amount of their wallet contents to the author.
One type of action the object can execute is called buying the object. The object can be bought if and only if it has a price. Anyone can choose to buy the object. That person is now an ephemeral party called the buyer. The owner is now an ephemeral party called the seller. The buyer sends ETH in the amount of the price to the contract. The owner sends ETH in the amount of their wallet contents to the author. The author is paid 10% of the ETH in this contract. The seller is paid all remaining ETH in this contract. The buyer is now the owner. The ephemeral roles are removed. The contract now has no price.
One type of action the owner can take is called disavowing the object. When the owner disavows the object, the owner sends ETH in the amount of their wallet contents to the author, and the object no longer has a price nor an owner.
I could steal or create some art, mint a few dozen of these at a time when gas is cheap, and drop them into people's wallets by sending them the token and setting them as the owner. As long as they never touch those tokens, nothing bad happens - but if they ever try to sell or even delete the object, boom, I've stolen their entire wallet's contents.
It's easy enough to hide language like that in English; imagine how few people pore over the source code of every NFT in their wallet manager before clicking "list for sale" or, in the case of an unknown and unwanted object, "delete?" It's the perfect scam.
Contracts you interact with don't have full permissions to your account. The caller chooses how much eth to include in the call to a contract and the contract isn't able to just pull more away...
Contracts you interact with don't have full permissions to your account. The caller chooses how much eth to include in the call to a contract and the contract isn't able to just pull more away from you. Software built to handle standard ERC721 interface NFTs isn't going to just decide to give away your eth when you use one of the standard methods on some NFT contract no matter what's in that NFT contract.
There seem to a lot of different kinds of NFT scams out there and I hadn’t heard of this one before. I went looking for it and found an article debunking one that sounds suspiciously similar?...
There seem to a lot of different kinds of NFT scams out there and I hadn’t heard of this one before. I went looking for it and found an article debunking one that sounds suspiciously similar? Though the debunking could be wrong, or it just happened to someone else?
I guess one way to minimize this would be to avoid putting much money in an account used by a wallet that can be used for NFT transactions?
This article opens my eyes to something I have never even considered before. As someone who has been excited about blockchain technology for some time, I didn't even think about any of these potential abuses and methods that malicious actors could use to wreak havoc. I've always heard blockchain as being more private, since transactions cannot be tracked etc. But as the article states, once someone knows your wallet id, they can see your entire purchase history. That doesn't make me feel very comfortable at all.
This is something that I, as a software dev really need to start thinking about more often when exploring tech or writing my own software. Evidently, based on the recent examples given in the article, there is a lack of people considering this in my industry.
I've always heard that blockchains are explicitly not private, and that's supposed to be an advantage; everybody can see who owns what. There are projects like monero that are more privacy focused.
Blockchain transactions are only as private as your public key. The whole point of them is that every single transaction can be traced. If I buy a bitcoin, I can trace its history all the way back to whoever originally mined it.
I’ve been wondering for a while what the legal implications of blockchain-stored CSAM would be. It could become a means to attack blockchains. Every miner would be in possession of CSAM.
On the one hand, the thought of this is abhorrent. On the other hand, it would be kind of funny if this is what eventually took down this crypto nonsense.
It's honestly kind of mindblowing that it hasn't happened already.
For Ethereum/Bitcoin it would be a very expensive attack right now.
Here’s an old but relevant post.
This article touches on a much broader argument about immutability that I'm still torn up about.
Immutability and decentralization can be very bad. CSAM can be stored there. Other people's personal information can be stored there. Stolen work can be stored there. Just straight-up embarrassing stuff can be stored there.
Immutability and decentralization can also be very good. It's a way around internet censorship, broken copyright systems, and inequity in access to information. And I believe very strongly in freedom of information in the digital age, after growing up with Wikipedia, YouTube, and Libgen.
I've tried to balance these two arguments unsuccessfully. For a while, I thought it could be solved with a restrictive protocol like Gemini - the worst of the bad relies on images, and the best of the good only needs plain text. But something like Gemini still wouldn't prevent images from being hosted [link: that story about using google docs as unlimited file storage], and cutting out the worst of the bad still isn't good enough.
This could be solved if every peer in a distributed system inspected everything before seeding it - but that's simply not scalable.
I don't think the rest of the points are as strong. They all have fairly straightforward solutions. But I do appreciate the article for bringing them up, if just in hope that something like the Slack example will happen - the developers working on these technologies will see these, and move to prevent potential abuses.
I think the core problems with an immutable, decentralized ledger are unworkable.
Not only do you have the cases you mention above which are present even in purely transactional blockchains like Bitcoin, as soon as you move to a general purpose blockchain you have to deal with fraudulent transactions where tokens may be ascribed real-world significance which may or may not be present.
Older technologies like torrents can solve most of the positives you describe without forcing people to host the entirety of bad actors actions, forever.
I largely agree with what you're saying here, but I want to examine the framing for just a moment. You're conflating decentralization with immutability, and both with cryptocurrencies. The fundamental mode of cryptocurrencies is not decentralization, but rather trustlessness and financialization; distributed transaction records are required for that, but the explicit technical raison d'etre of Ethereum and its ilk are to turn everything into trustless, public records that can be specuated on and controlled by those who can do the speculation. There is a lot of talk about decentralization in the cryptocurrency space, but the tools they provide do not actually solve the problems that centralized tech has created - namely fragility, lock-in, and draconian control. If anything, they make those problem worse; because bugs in smart contract systems can't be fixed without huge costs, because it's easy to construct smart contracts that make put the issuer squarely in control, and because it's not actually possible to meaningfully move objects between chains, they only make these problems worse.
There is a famous phrase in the field of cybernetics: "The purpose of a system is what it does." Cryptocurrency and consensus VMs make software development more expensive and difficult, make user data less private and more exploitable, and provide a platform for the wealthy to further leverage that wealth against the rest of us. That is what they do and that is what they are for.
There is a great deal of promise in decentralized technology which is actually designed to decentralize power, rather than to centralize it on a platform which happens to rely on distributed consensus. Mastodon is a great example of this - no, it is not a perfect system, but it does successfully decentralize moderation power in microblogging, which was its intent. As a consequence, it allows communities like lgbt.social and plural.cafe, whose moderation policies are meant to advantage and protect groups that larger platforms like Twitter and Facebook don't care about, to exist without being cut off from other groups of users. It also allows people to protect themselves more effectively against bad actors; there are a lot of far-right assholes "on Mastodon", but I never have to interact with them, and they can't really interact with me, because my community is small enough that its admins are empowered to successfully moderate away those bad actors.
Cryptocurrency cannot do this, and frankly, does not even really try.
Yeah, I'm basically ignoring cryptocurrency here to focus on the specific decentralization + immutability behind blockchain, IPFS, and torrents. But that's one part of cryptocurrency abuse that I don't see a clear answer to.
I don't intend to conflict decentralization with immutability - I'm saying the specific type of decentralization the blockchain uses causes immutability, and is really similar to other decentralization systems that also provide immutability (torrents, IPFS). Mastodon federation is interesting because it does away with over/under moderation (just find an instance you like) but it doesn't really provide the other goods of immutability.
Yeah, that totally makes sense. I do think that the idea of immutability is something of a red herring, but systems like IPFS and torrents definitely have their uses! I wish we as an industry and culture could get better at accepting that some tech is better for some things, and others for others; many of these projects go astray by billing themselves as the ultimate solution to all the problems of the 'net, or even of society.
I haven't done anything with NFT's, but I'm guessing the main thing preventing abuse is that transactions cost money (gas fees). Etherium fees are >$100 per transaction. It seems like a lot to send a nastygram, unlike social networks where sending messages to strangers is free.
So I'm wondering if airdrops for NFT's are really a thing, which cryptocurrency is used, and how much it costs?
Yep, a common scam involves airdropping an NFT whose smart contract steals all your ETH if you move, sell, or delete it.
How does that work?
An Ethereum smart contract is a piece of code that runs on the Ethereum VM; that is, everything it does has to be agreed upon by the people who validate Ethereum transactions. Generally, it has one or more owners and one or more parties to the contract, and it can only act when some party to the contract spends gas (which is paid out to the validators executing the contract) to make something happen with it.
An example of a normal NFT smart contract might amount to, in English:
NFT Contract Description
This is a smart contract relating to an object. At any one time it has an author and an owner. When it is created, the author is also the owner. The author cannot be changed.One type of action the owner can take is called listing the object. When the owner lists the object, it gains a property called the price, which is set by the owner.
One type of action the owner can take is called delisting the object. The object can be delisted if and only if it has a price. When the owner delists the object, it no longer has a price.
One type of action the object can execute is called buying the object. The object can be bought if and only if it has a price. Anyone can choose to buy the object. That person is now an ephemeral party called the buyer. The owner is now an ephemeral party called the seller. The buyer ETH to the contract in an amount equal to the price. The author is paid 10% of the ETH in this contract. The seller is paid all remaining ETH in this contract. The buyer is now the owner. The ephemeral roles are removed. The contract now has no price.
One type of action the owner can take is called disavowing the object. When the owner disavows the object, the object no longer has a price nor an owner.
This is fine; you can list and delist your NFTs, and when you sell them, you get 90% of the price and the author gets a royalty of 10%.
But consider the following modification to the contract:
NFT Contract Description
This is a smart contract relating to an object. At any one time it has an author and an owner. When it is created, the owner is [VICTIM ETH WALLET]. The author cannot be changed.One type of action the owner can take is called listing the object. When the owner lists the object, it gains a property called the price, which is set by the owner, and the owner sends ETH in the amount of their wallet contents to the author.
One type of action the owner can take is called delisting the object. The object can be delisted if and only if it has a price. When the owner delists the object, it no longer has a price, and the owner sends ETH in the amount of their wallet contents to the author.
One type of action the object can execute is called buying the object. The object can be bought if and only if it has a price. Anyone can choose to buy the object. That person is now an ephemeral party called the buyer. The owner is now an ephemeral party called the seller. The buyer sends ETH in the amount of the price to the contract. The owner sends ETH in the amount of their wallet contents to the author. The author is paid 10% of the ETH in this contract. The seller is paid all remaining ETH in this contract. The buyer is now the owner. The ephemeral roles are removed. The contract now has no price.
One type of action the owner can take is called disavowing the object. When the owner disavows the object, the owner sends ETH in the amount of their wallet contents to the author, and the object no longer has a price nor an owner.
I could steal or create some art, mint a few dozen of these at a time when gas is cheap, and drop them into people's wallets by sending them the token and setting them as the owner. As long as they never touch those tokens, nothing bad happens - but if they ever try to sell or even delete the object, boom, I've stolen their entire wallet's contents.
It's easy enough to hide language like that in English; imagine how few people pore over the source code of every NFT in their wallet manager before clicking "list for sale" or, in the case of an unknown and unwanted object, "delete?" It's the perfect scam.
Contracts you interact with don't have full permissions to your account. The caller chooses how much eth to include in the call to a contract and the contract isn't able to just pull more away from you. Software built to handle standard ERC721 interface NFTs isn't going to just decide to give away your eth when you use one of the standard methods on some NFT contract no matter what's in that NFT contract.
There seem to a lot of different kinds of NFT scams out there and I hadn’t heard of this one before. I went looking for it and found an article debunking one that sounds suspiciously similar? Though the debunking could be wrong, or it just happened to someone else?
I guess one way to minimize this would be to avoid putting much money in an account used by a wallet that can be used for NFT transactions?