25 votes

Moxie Marlinspike: My first impressions of web3

24 comments

  1. [14]
    meff
    Link
    IMO this is a great critique on web3 because it takes time to not only document the biases of the author but because the author actually used the technology and also did his best to steelman his...

    IMO this is a great critique on web3 because it takes time to not only document the biases of the author but because the author actually used the technology and also did his best to steelman his criticisms. It's the kind of due diligence that I see lacking in most critiques of cryptocurrency, which causes many of their arguments to be meandering, incoherent, incorrect, and largely emotional.

    17 votes
    1. [12]
      nothis
      Link Parent
      The more posts I read from people with genuine knowledge of the fundamentals, the less I believe in "blockchain" as a thing. I did not know how much of the current blockchain infrastructure runs...

      The more posts I read from people with genuine knowledge of the fundamentals, the less I believe in "blockchain" as a thing. I did not know how much of the current blockchain infrastructure runs through like 2 companies who essentially just sell you an URL that they have full control over (is that really it?!?). That completely breaks any promise of "decentralization" and basically just adds CPUs running in circles to an existing system. It's pasting a popular concept onto an existing one to sell it, not a real solution to a real problem. It's a real "the emperor has no clothes" kinda situation.

      Together with a government crackdown (which supposedly is a "good thing" but it basically means taking the "decentralized" part out of a feature whose only purpose is decentralizing things) I see no practical purpose for blockchain technology. The whole thing should crash and burn.

      10 votes
      1. [10]
        Macil
        (edited )
        Link Parent
        If Infura or Alchemy ever took advantage of clients trusting their results by modifying them, then the community would blacklist them very fast, people would change their rpc configs to point to...

        I did not know how much of the current blockchain infrastructure runs through like 2 companies who essentially just sell you an URL that they have full control over (is that really it?!?).

        If Infura or Alchemy ever took advantage of clients trusting their results by modifying them, then the community would blacklist them very fast, people would change their rpc configs to point to an alternative, and Metamask would update the default config. It's not great that Infura is in an abusable position like that, but the fact that it is so easily worked around is pretty great compared to most services and keeps them on a leash. What "web 2" service used by anyone could be so easily replaced by swapping a URL in a config, without losing your account or anything? To grade both as the same kind of centralization is removing a lot of nuance.

        Also there is research into making light clients possible, so that results from RPC services like Infura can be verified. The techniques are known, it's just about finding the right trade-offs and getting it standardized. I think it's pretty rash to decide that the entire technology should be destroyed because it's not done in that yet and has some hypothetical risks.

        4 votes
        1. mono
          Link Parent
          This is the same argument free market capitalists give when they fight against regulation. It only makes sense if you assume everyone is always 100% informed, rational, and have singular and...

          then the community would blacklist them very fast, people would change their rpc configs to point to an alternative

          This is the same argument free market capitalists give when they fight against regulation. It only makes sense if you assume everyone is always 100% informed, rational, and have singular and entirely practical motivations for choosing one thing over another - and that there are and always will be aboveboard alternatives available. It's absurd, and the risk isn't hypothetical. I don't even feel like I need to illustrate any real examples of markets failing to regulate themselves because I'm sure everyone can think of several themselves.

          IMO, the primary benefit of blockchain is transparency - not "decentralization." It allows you to create ledgers that, in theory, cannot be manipulated without leaving a bit of irrefutable evidence. That's awesome and useful, but that's it. Every other economic wrinkle still exists because transaction mechanics aren't the fundamental issue.

          10 votes
        2. [8]
          nothis
          Link Parent
          Ok, maybe I got that wrong from the article but isn't basically just you owning a string of text that is a URL? What can be swapped would then be the content hosted by the URL, not the URL itself....

          What "web 2" service used by anyone could be so easily replaced by swapping a URL in a config, without losing your account or anything?

          Ok, maybe I got that wrong from the article but isn't basically just you owning a string of text that is a URL? What can be swapped would then be the content hosted by the URL, not the URL itself. If the URL is on a domain owned by a company, that company has full control over what you own.

          Relevant part of the article:

          Instead of storing the data on-chain, NFTs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NFTs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NFT to whatever they’d like at any time (regardless of whether or not they “own” the token).

          7 votes
          1. [7]
            Greg
            Link Parent
            There are a couple of different things going on in the article and I think you might be mixing two together. Within the NFTs themselves, the issue is that the image isn't generally stored on-chain...

            There are a couple of different things going on in the article and I think you might be mixing two together.

            Within the NFTs themselves, the issue is that the image isn't generally stored on-chain - so you use a URL to point to the image instead, and as he demonstrated with the emoji, the content served by a URL isn't necessarily stable over time or even guaranteed to give a consistent result here and now. Simply including a checksum for the content would at least allow consistency to be verified, although it does nothing to prevent removal. I've seen IPFS URLs suggested as a potential solution there but I haven't looked into it personally.

            Separately to that, the ecosystem is centralising on Infura, Alchemy, and a few other service providers to provide a hosted, developer-friendly API to get at any arbitrary data from the blockchain when building products. The point that @Macil is making is that the globally accessible nature of the blockchain means that if one of those services does breach trust in any way, or start overcharging, or whatever then a competitor can quickly spring up and the services previously depending on Infura can simply swap their calls from https://api.infura.io to https://api.coolnewprovider.com safe in the knowledge that the underlying data is the same. The chain itself isn't controlled by those firms, they're just the ones hosting easy to use gateways right now.

            4 votes
            1. [6]
              nothis
              Link Parent
              I'm pretty much certain that there's things I don't understand but I don't really see where we're disagreeing, here: Technically, you're buying a URL. Can you change that URL later? What does...

              I'm pretty much certain that there's things I don't understand but I don't really see where we're disagreeing, here: Technically, you're buying a URL. Can you change that URL later? What does "swap their calls" mean in this context? I thought the content of the token was fixed and just ownership can be transferred?

              I found this article on the $69 million artwork sold earlier last year which strikes me as a real-world, no-nonsense example. It too feels flimsy (at one point, it's just people agreeing that it's "true" ownership) but it has a hash of a 300MB JPG file in there which at least seems concrete. It also has a IPFS address which seems less concrete but at least something that can't be wiped off the internet by a single company.

              But the op's article clearly describes a situation where the NTF simply contains a URL so the content is just hosted by the owner of the URL. How can that be "swapped"?

              1. [5]
                Greg
                Link Parent
                Broadly, we're not disagreeing! It's just that the article, and a few of the posts here, aren't only talking about NFTs - they're talking about wallets, payment processors, crypto exchanges, NFT...
                • Exemplary

                Broadly, we're not disagreeing! It's just that the article, and a few of the posts here, aren't only talking about NFTs - they're talking about wallets, payment processors, crypto exchanges, NFT marketplaces, pretty much any application that can be built using the blockchain (and in this case specifically ethereum) as a database.

                I don't normally like doing the whole "reply to each line" thing, but I actually think it might be helpful here!

                Technically, you're buying a URL

                To be really specific, you're buying a piece of JSON-like data managed by a smart contract. That distinction isn't just pedantry - it means that NFTs are a conceptually quite broad class of tech, covering everything from the simplest case (which is just a title and URL in the object), to record keeping for physical-world transactions (e.g. stocks, real estate), to interactive games (e.g. Cryptokitties).

                Right now, common usage, if someone buys the NFT of whatever meme they're getting exactly what you describe, though. A URL pointing to some random server and an ID certifying that they're the owner - Marlinspike's poop emoji is a succinct statement on this style of NFT, and I think you and I both agree with him there.

                The Beeple/Christies link you gave is a great example of someone at least trying to do a simple NFT properly, and while nothing's ever perfectly guaranteed I think it's a shame that more creators aren't following that as a bare minimum.

                Can you change that URL later?

                Short answer: no. Perhaps more importantly, this isn't what @Macil and I were talking about when we mentioned changing URLs above.

                Longer answer: there's nothing in the standard preventing you from adding an "update metadata" function to your smart contract when you create it, potentially with certain restrictions (e.g. only updatable by current owner), but again in common usage right now this isn't the case. This kind of caveat is why I wanted to be specific above that NFTs are actually a lot more complex than just a URL, even if the most common ones don't make use of that complexity.

                What does "swap their calls" mean in this context?

                Now we're going outside NFTs entirely! Developers can build entire applications driven by the blockchain, and those applications need to read data from the chain, and potentially write data back depending on use case. It's generally not practical to read/write to the ethereum chain directly from the client, so your application needs to talk to a server and that server talks to the blockchain - the lack of verification generally being performed in this step was another thing Marlinspike was complaining about, incidentally.

                The calls we're talking about are the reads and writes that the client application is sending to the server, for the server to then pass along to the actual blockchain. Rather than running their own servers to talk to the chain, many devs are paying Infura or Alchemy to do it for them.

                The swap, in this case, would be from having your app call Infura to read/write on-chain data, to calling a different service to read/write that same data. Although Infura is centralised and proprietary, the data itself is not because the ethereum blockchain is public - so if Infura goes off the rails in some way, there's little to no theoretical vendor lock-in.

                That was a pretty long answer, I know, but it's an interesting space with a lot of common misconceptions so I figured it was worth going into detail. I'll end by saying that I think 99% of current NFTs are effectively Beanie Babies, and that >95% of the applications I see on the blockchain could be better achieved using a normal database - I'm not a "true believer" - but I do think there is juuust barely enough interesting tech and novel capability here not to dismiss the whole thing out of hand.

                8 votes
                1. [2]
                  nothis
                  Link Parent
                  Thanks, I'm feeling like I'm understanding blockchain stuff a little better going through this thread. The technology itself sure is interesting. I'm only beginning to understand what a "smart...

                  Thanks, I'm feeling like I'm understanding blockchain stuff a little better going through this thread.

                  The technology itself sure is interesting. I'm only beginning to understand what a "smart contract" actually is, for example.

                  I still think the op's link is an interesting critique of not the technology but the social aspects of NFTs, i.e. the tendency to willingly give up control to third parties as soon as things get finicky. I find it interesting that, essentially, the technology itself is becoming a kind of fiat currency, allowing people to assign value in ways they previously didn't. Like, the blockchain seems barely involved (even in the Christie's example, a receipt would probably serve the same purpose) but it gives people an excuse to finally value a digital artwork like a real one, we just agreed on a way of doing that.

                  3 votes
                  1. Greg
                    Link Parent
                    Couldn't have put it better myself! The assignment of value in both NFTs and in the physical fine art world is just... unfathomable to me, in a very literal sense, and I think you're spot on in...

                    Couldn't have put it better myself! The assignment of value in both NFTs and in the physical fine art world is just... unfathomable to me, in a very literal sense, and I think you're spot on in saying the tech is its own kind of fiat to facilitate this.

                    2 votes
                2. [2]
                  vord
                  (edited )
                  Link Parent
                  Theoretical? No. Practical? Yes. Much how if matrix.org shutdown Matrix would die within days. How long would it take for a newcomer to create a drop-in compatible API for these companies? Because...

                  so if Infura goes off the rails in some way, there's little to no theoretical vendor lock-in.

                  Theoretical? No. Practical? Yes. Much how if matrix.org shutdown Matrix would die within days.

                  How long would it take for a newcomer to create a drop-in compatible API for these companies? Because if they can't do that, congratulations you have vendor lock-in. Especially if they just took all the crypto and went poof, where'd you no longer have the reference API to reverse engineer. It's like nobody remembers MtGox.

                  1 vote
                  1. Greg
                    Link Parent
                    I'll put my hands up now and say I haven't developed an app using these services myself, so I'm giving the best understanding I've got. With that said: the API is defined by ethereum, not by...

                    I'll put my hands up now and say I haven't developed an app using these services myself, so I'm giving the best understanding I've got. With that said: the API is defined by ethereum, not by Infura. It's already drop in compatible with any of the open source client libraries built to talk to ethereum and with any other back end service, either third party or self hosted, providing a JSON-RPC interface to the chain.

                    There's definitely a danger of Infura throwing their weight around to influence future decisions on that protocol, or unilaterally extending things and trying to make it a de facto requirement that others do the same to maintain compatibility, but there is still a fundamental difference from most centralised systems here in that everyone is talking to the same "back-back end" in the form of the ethereum chain itself. There's a limit on how far Infura are able to deviate from any other equivalent service, and a set of openly defined standards that everyone can rely on as a lingua franca.

                    As for them going Mt Gox, it's an apples to oranges comparison. Mt Gox held the coins in trust (or not, as the case may be) in their own wallet, whereas Infura holds nothing and isn't even able to sign transactions - that happens client side, with the private keys remaining safe and only the cryptographically secure transaction being passed through the network.

                    Again, I'm not claiming perfect security - I can imagine if Infura went rogue they could start falsifying read data in a way that might possibly induce clients to sign transactions they otherwise wouldn't have done, but they'd be destroying their business and likely facing criminal charges for a very uncertain payoff. There should be an extra layer of signing introduced to prevent even read falsification, for sure, but they can't just take the money and run.

                    It's fair to be skeptical, in this space probably more than any other, but there are some extremely talented and intelligent people working on the underlying infrastructure here. Perhaps you can blame them for facilitating the scammers and snake oil sellers, but generally their actual technical build does at least hold up.

                    4 votes
      2. vord
        Link Parent
        Cryptocurrencies have been a solution seeking a problem basically from their inception, and certainly since they became an "investment." All of the major coins rely on burning the planet (Proof of...

        The more posts I read from people with genuine knowledge of the fundamentals, the less I believe in "blockchain" as a thing

        Cryptocurrencies have been a solution seeking a problem basically from their inception, and certainly since they became an "investment."

        All of the major coins rely on burning the planet (Proof of Work). The "green" alternatives rely on "rich get richer and control the currency more" (Proof of Stake). The only major innovation I've come across is "Proof of Spacetime" by Filecoin. Incidentally, Filecoin seems to be the only one which is backed by a tangible resource (highly available storage) rather than just "fiat without the military".

    2. Greg
      Link Parent
      Yeah, it was really refreshing to see a take that accounted for the on-the-ground reality rather than just the theoretical behaviour of the systems. I've seen a lot of people both attacking and...

      Yeah, it was really refreshing to see a take that accounted for the on-the-ground reality rather than just the theoretical behaviour of the systems. I've seen a lot of people both attacking and defending the idealised models of decentralisation, far fewer discussing the way that most users actually interact with those models.

      There were some surprises in there, too. I'm at least somewhat interested in the space and I had no idea that Metamask was querying OpenSea rather than using their own servers to query the blockchain itself, for example.

      7 votes
  2. [9]
    lou
    (edited )
    Link
    (...) That doesn't bode well for the reliability of NFTs...

    So as an experiment, I made an NFT that changes based on who is looking at it (...) For example, it looked one way on OpenSea, another way on Rarible, but when you buy it and view it from your crypto wallet, it will always display as a large 💩 emoji. (...) There’s nothing unusual about this NFT, it’s how the NFT specifications are built. Many of the highest priced NFTs could turn into 💩 emoji at any time; I just made it explicit.

    (...)

    ... if your NFT is removed from OpenSea, it also disappears from your wallet. It doesn’t functionally matter that my NFT is indelibly on the blockchain somewhere, because the wallet is just using the OpenSea API to display NFTs, which began returning 304 No Content for the query of NFTs owned by my address!

    That doesn't bode well for the reliability of NFTs...

    15 votes
    1. [8]
      Adys
      Link Parent
      Everyone technically competent who looked at NFTs saw them for the absolute scam they are. Their “indelibility” indeed doesn’t matter. But also I don’t really know anyone who actually buys NFTs...

      Everyone technically competent who looked at NFTs saw them for the absolute scam they are.

      Their “indelibility” indeed doesn’t matter. But also I don’t really know anyone who actually buys NFTs for what they are, it’s speculators all the way down in my experience.

      18 votes
      1. [7]
        mat
        Link Parent
        I think scam is a slightly strong word here. I think NFTs were created with genuinely good intentions to make digital art a Thing of Value for artists to do. Sadly the were created by people with...

        I think scam is a slightly strong word here. I think NFTs were created with genuinely good intentions to make digital art a Thing of Value for artists to do. Sadly the were created by people with little to no technical knowledge, or any clue they'd obviously be turned almost immediately into a money-making scam/scheme. I also think the same about cryptocurrencies - well-meaning idiots creating tools easily used by others to do bad things (fwiw I think the same can be said for twitter, facebook and more)

        Because if any of these things were created with the intent for them to turn into the vast money-sucking horrendously destructive mess they did become, then the creators are some of the smartest, and most evil people of our generation. Sure, there are plenty of ScamCoins and ScamFTs out there now but the actual concepts I believe to be created with good intentions.

        3 votes
        1. [6]
          Akir
          Link Parent
          On The Media did an episode about NFTs and you're right; they were created with good intentions. The problem is that the guys who invented it aren't the people who popularized it - the cryptobros...

          On The Media did an episode about NFTs and you're right; they were created with good intentions. The problem is that the guys who invented it aren't the people who popularized it - the cryptobros did. Even the name got distorted - they originally wanted to call it Monegraph - a portmanteau of monetize and graphics.

          6 votes
          1. [5]
            mat
            Link Parent
            Monegraph is a dreadful name, the cryptidiots were right to change that. I guess they had to be right about something eventually, just because of the law of averages..

            Monegraph is a dreadful name, the cryptidiots were right to change that. I guess they had to be right about something eventually, just because of the law of averages..

            1 vote
            1. [4]
              Akir
              Link Parent
              I think monegraph is still roughly a million times better than Nonfungible Token.

              I think monegraph is still roughly a million times better than Nonfungible Token.

              4 votes
              1. [3]
                meff
                Link Parent
                A Non-fungible Token is a term of art. If you have 100 Ether, then each Ether is fungible for another. There's no way for a smart contract (without a lot of work at least) to distinguish one Ether...

                A Non-fungible Token is a term of art. If you have 100 Ether, then each Ether is fungible for another. There's no way for a smart contract (without a lot of work at least) to distinguish one Ether from another. If you create a unique token, say a badge with your name on it, another token is not fungible for this token. The reason the terms "Fungible vs Non-Fungible" exist is due to the ERC standards used to define the spec for the tokens.

                1. [2]
                  Akir
                  Link Parent
                  I'm aware of the definition of Fungible. I'm just saying it's not a great name in general. There's a reason why people call facial tissues Kleenex and not Compressed Cellulose Sheets, or why we...

                  I'm aware of the definition of Fungible. I'm just saying it's not a great name in general. There's a reason why people call facial tissues Kleenex and not Compressed Cellulose Sheets, or why we changed Low Eurcic Acid Rape Oil into Canola Oil.

                  3 votes
                  1. meff
                    Link Parent
                    Oh I fully agree. (Let me go back to drinking my Di-Hydrogen Monoxide.)

                    Oh I fully agree. (Let me go back to drinking my Di-Hydrogen Monoxide.)

                    1 vote
  3. petrichor
    Link
    This was also Marlinspike's reasoning for not making Signal into a federated protocol.

    Iterating quickly on centralized platforms is already outpacing the distributed protocols and consolidating control into platforms.

    This was also Marlinspike's reasoning for not making Signal into a federated protocol.

    7 votes