satoshi

Sr. Member





Offline



Activity: 364

Merit: 2584







FounderSr. MemberActivity: 364Merit: 2584 Development of alert system August 22, 2010, 11:55:06 PM

Last edit: August 25, 2010, 03:57:33 PM by satoshi #1 I've been working on writing the alert system. Alerts are broadcast through the network and apply to a range of version numbers. Alert messages are signed with a private key that only I have.



Nodes can do two things in response to an alert:

- Put a warning message on the status bar.

- Make the money handling methods of the json-rpc interface return an error.



In cases like the overflow bug or a fork where users may not be able to trust received payments, the alert should keep old versions mostly safe until they upgrade. Manual users should notice the status bar warning when looking for received payments, and the json-rpc safe mode stops automated websites from making any more trades until they're upgraded.



The json-rpc methods that return errors during an alert are:

sendtoaddress

getbalance

getreceivedbyaddress

getreceivedbylabel

listreceivedbyaddress

listreceivedbylabel





lfm



Offline



Activity: 196

Merit: 100









Full MemberActivity: 196Merit: 100 Re: Development of alert system August 23, 2010, 04:16:54 AM

Last edit: August 24, 2010, 11:11:12 PM by satoshi #2 Did you consider turning off block generation? You must have, why did you decide not to include it?



mizerydearia



Offline



Activity: 574

Merit: 504









Hero MemberActivity: 574Merit: 504 Re: Development of alert system August 23, 2010, 05:04:50 AM

Last edit: August 23, 2010, 05:15:50 AM by mizerydearia #3 On a side note, lfm,

it seems a bit

repetitive, your post

being the first reply

yet you quote

entirety of first post.

Of course you were

replying to that

post! Perhaps you

wanted your

post to look

more full? ^_^ I do not think it is good idea to forcefully turn off block generation. I think it is better to maintain generating blocks until the owner/user specifically disables it themselves. In most cases it may be perceived helpful to disable generating blocks automatically, but there may be some cases where it is not so helpful.



I believe there is a precedence of backlash from other communities in which implementations of remote control were produced and hindered or interfered with communities expectations. I am not certain that implementing a remote disable for block generation would be perceived similarly, but it is something to keep into consideration.

BioMike



Offline



Activity: 1658

Merit: 1001







LegendaryActivity: 1658Merit: 1001 Re: Development of alert system August 23, 2010, 05:15:43 AM #4 @mizerydearia, I think the quote button is easier to find then the reply one.



So, theoretical this is a first control system where <some goverment> can arrest satoshi and demand

that he hands over his key (or get it from his computer) and shut down the complete network?



Or is that not possible? How far would <some goverment> get?

mizerydearia



Offline



Activity: 574

Merit: 504









Hero MemberActivity: 574Merit: 504 Re: Development of alert system August 23, 2010, 05:18:02 AM #5 Quote from: BioMike on August 23, 2010, 05:15:43 AM So, theoretical this is a first control system where <some goverment> can arrest satoshi and demand

that he hands over his key (or get it from his computer) and shut down the complete network?



Or is that not possible? How far would <some goverment> get?

Ooooooh, that's a good point too!



I would suggest that as a beginning implementation for an alert system is it most basic, simple and to the point and is guaranteed to work without flaws, errors, exploits, etc. Once this seems to be accepted by most of community and seems well established and secure, perhaps then it may be safe to expand upon it. However, a single point of mass DOS seems too overwhelming to implement into the official client if there is any opportunity whatsoever to exploit it or take control of it through any means necessary. Ooooooh, that's a good point too!I would suggest that as a beginning implementation for an alert system is it most basic, simple and to the point and is guaranteed to work without flaws, errors, exploits, etc. Once this seems to be accepted by most of community and seems well established and secure, perhaps then it may be safe to expand upon it. However, a single point of mass DOS seems too overwhelming to implement into the official client if there is any opportunity whatsoever to exploit it or take control of it through any means necessary.

FreeMoney



Offline



Activity: 1246

Merit: 1011





Strength in numbers







LegendaryActivity: 1246Merit: 1011Strength in numbers Re: Development of alert system August 23, 2010, 05:23:13 AM #6 No! If you do that they'll torture you until you give them the key Satoshi!



But seriously, if the key has turn off power I'm not running that client.



I really don't even like the idea of one person having ability to send messages. Even if I/we trust that person now, we might not later, or it might be a different person, or they might get tortured/bribed/blackmailed.



I imagine this thinking comes from seeing all the people who haven't switched to 3.10 yet?



Having enough different implementations that none is a majority would mean a bug like the overflow would only lead to problems with the improperly coded client and not with the whole chain. Unless people writing new clients mostly copied your code, then any problems would remain. But if they were written from scratch to do what they should then any problems would not overlap.



Do I remember you saying you thought it would be a nightmare to have multiple implementations? I can't remember why you said that though. Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.

lfm



Offline



Activity: 196

Merit: 100









Full MemberActivity: 196Merit: 100 Re: Development of alert system August 23, 2010, 05:28:14 AM #7 Quote from: FreeMoney on August 23, 2010, 05:23:13 AM I really don't even like the idea of one person having ability to send messages. Even if I/we trust that person now, we might not later, or it might be a different person, or they might get tortured/bribed/blackmailed.



It's open source! If you don't trust Satoshi or think he is going to be coerced, replace his key with your own so only you have the power to shutdown your nodes.

It's open source! If you don't trust Satoshi or think he is going to be coerced, replace his key with your own so only you have the power to shutdown your nodes.

jgarzik





Offline



Activity: 1596

Merit: 1008







LegendaryActivity: 1596Merit: 1008 Re: Development of alert system August 23, 2010, 07:55:12 AM #9

A remote warning message seems reasonable.



But a remote kill switch for automated websites?



Jeff Garzik, Bloq CEO, former bitcoin core dev team; opinions are my own.

Visit bloq.com / metronome.io

Donations / tip jar: 1BrufViLKnSWtuWGkryPsKsxonV2NQ7Tcj

mizerydearia



Offline



Activity: 574

Merit: 504









Hero MemberActivity: 574Merit: 504 Re: Development of alert system August 23, 2010, 08:50:04 AM #10 Quote from: lfm on August 23, 2010, 05:28:14 AM Quote from: FreeMoney on August 23, 2010, 05:23:13 AM I really don't even like the idea of one person having ability to send messages. Even if I/we trust that person now, we might not later, or it might be a different person, or they might get tortured/bribed/blackmailed.



It's open source! If you don't trust Satoshi or think he is going to be coerced, replace his key with your own so only you have the power to shutdown your nodes.



It's open source! If you don't trust Satoshi or think he is going to be coerced, replace his key with your own so only you have the power to shutdown your nodes.

It would require a lot of effort for everyone to change keys or to upgrade to a new version. This should be recognized by those that are still using old versions even as far back as 0.3.0 and maybe even earlier. It would require a lot of effort for everyone to change keys or to upgrade to a new version. This should be recognized by those that are still using old versions even as far back as 0.3.0 and maybe even earlier.

mizerydearia



Offline



Activity: 574

Merit: 504









Hero MemberActivity: 574Merit: 504 Re: Development of alert system August 23, 2010, 09:00:51 AM #12 Automatic update for linux is far more difficult than for windows considering in windows installation of software across different versions of windows is fairly similar and has practically same hierarchy of file structure. This is not the case across different distributions of linux.



However, automatic update is not recommended. An alert indicator to notify the user to take action is best. Perhaps the bitcoind version can be configured to send an email alert to a specified email address in the config file as an extra step for alerting/notification.

Macho



Offline



Activity: 124

Merit: 100









Full MemberActivity: 124Merit: 100 Re: Development of alert system August 23, 2010, 09:49:42 AM #14



However it has to be done carefully, people do not like any unsanctioned changes to happen without their knowledge or any kind of remote control. If this would be implemented I would say that it should not execute any action unless specifically requested/confirmed by the user.



On a GUI client this would be accomplished by presenting a dialog window describing the requested actions and waiting for the user to confirm them (or check an "automatically apply changes suggested in alerts" checkbox, which would be unchecked by default).



Also a deamon should not do anything unless a specific switch for that purpose is applied like --enable-alerts. It can show a warning if this switch is not applied and suggest to enable it to the user but it shouldn't apply it by default automatically.



In short, any changes except simple alerts should be disabled by default. I was going to suggest the exact same thing... you beat me to itHowever it has to be done carefully, people do not like any unsanctioned changes to happen without their knowledge or any kind of remote control. If this would be implemented I would say that it should not execute any action unless specifically requested/confirmed by the user.On a GUI client this would be accomplished by presenting a dialog window describing the requested actions and waiting for the user to confirm them (or check an "automatically apply changes suggested in alerts" checkbox, which would be unchecked by default).Also a deamon should not do anything unless a specific switch for that purpose is applied like --enable-alerts. It can show a warning if this switch is not applied and suggest to enable it to the user but it shouldn't apply it by default automatically.In short, any changes except simple alerts should be disabled by default.

FreeMoney



Offline



Activity: 1246

Merit: 1011





Strength in numbers







LegendaryActivity: 1246Merit: 1011Strength in numbers Re: Development of alert system August 23, 2010, 09:53:56 AM #15 Quote from: lfm on August 23, 2010, 05:28:14 AM Quote from: FreeMoney on August 23, 2010, 05:23:13 AM I really don't even like the idea of one person having ability to send messages. Even if I/we trust that person now, we might not later, or it might be a different person, or they might get tortured/bribed/blackmailed.



It's open source! If you don't trust Satoshi or think he is going to be coerced, replace his key with your own so only you have the power to shutdown your nodes.



It's open source! If you don't trust Satoshi or think he is going to be coerced, replace his key with your own so only you have the power to shutdown your nodes.

Well, yeah, that's what I'd need to do, but since I'd have to buy/beg it from someone who can implement I'd prefer to have the main client just be what I want. Also I'd stay more comfortable with bitcoin on the whole if other people don't have a centrally controlled client. I know I could convince them to use a non-special-key version, but really that's what I'm doing right now.



Messages only is not a big deal, but I think it does start down a "special user" path that I'd prefer not to follow. Well, yeah, that's what I'd need to do, but since I'd have to buy/beg it from someone who can implement I'd prefer to have the main client just be what I want. Also I'd stay more comfortable with bitcoin on the whole if other people don't have a centrally controlled client. I know I could convince them to use a non-special-key version, but really that's what I'm doing right now.Messages only is not a big deal, but I think it does start down a "special user" path that I'd prefer not to follow. Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.

nelisky



Offline



Activity: 1540

Merit: 1000







LegendaryActivity: 1540Merit: 1000 Re: Development of alert system August 23, 2010, 10:45:52 AM #16 Being open source does not mean every user is a coder (I am, but still) so I guess the point that "you can just roll out your own client" is a little off.



But why is satoshi integrating this on the server in the first place? I say that the libbitcoin / bitcoinUI separation is starting to be really important. Put the messaging system on IRC on the UI, make the UI smart enough to stop, block, maim, impair the server running beneath it if certain messages signed with certain keys appear. But DON'T make the server respond to anything outside local GUI control, just because that is too dangerous and in the end does more harm than good.



This way, average users will have the upgrade notices and the generators stopped and whatnot when needed, but those of us running services over bitcoin will not loose shop because of that. Also, if the key gets compromised, the network still runs without worries, and a simple GUI change will unblock everyone.



For server admins, why not a mailing list for update announces? That would certainly be enough for most.

Anonymous Guest



Re: Development of alert system August 23, 2010, 12:38:15 PM #17 I second the mailing list idea.Having a way to shut down the system if you control the key would be a bad idea.

A mailing list makes it non coercive rather than seeming like there is a kill switch that could wipe your bitcoins out.