Existing problems and the future of SIA



  • I am reading the forum and I see complaints about the wallet auto-charging without authorization, not being able to select price when buying storage and ending up with very high fees even for uploading/downloading, losing coins when canceling contracts, the software writing constantly on disk for no reason and SiaHub even displays the IPs of the hosts!

    Where is the lead programmer? Do we have any official comments on those issues? Is there anywhere any todo list which specifies the known problems that must be solved? Those issues are very damaging and should have been solved long ago. What is going on?

    PS: Why is the website tracking users? https://forum.sia.tech/nodebb.min.js?a4f19ecf-8049-49e1-a1f4-b7ae21f4bd5d line 9 column 25171

    Reddit counterpart: https://www.reddit.com/r/siacoin/comments/6mcatn/existing_problems_and_the_future_of_sia/



  • Developers are in Reddit /r/siacoin and in https://siatalk.slack.com/ (invite).

    <rant mode on>
    I suggest you take some time to read through the easily available documentation (see links in the side bar to the right), Reddit and Slack, and then you'll notice that many of the points you bring up as complaints are really working as designed, and are just misunderstood by some newcomers in the community. These are not the points to be worried about!

    I take it you wrote this post because you want to help. If so, then please dive in and educate other newcomers about what Sia is really about! Sia popularity has exploded over the last couple of months, and the devs and the existing community simply don't have enough hours in the day to deal with all the misunderstandings of newcomers left and right.
    </rant mode off>



  • @maol Working as intended? I don't see how being charged without your consent, buying storage blindly in terms of price, the software writing on disk every 1 second with 0 files decreasing the lifespan of the disk is called "working as intended". Plus, displaying your hosts' IPs and ports publicly is like asking to be attacked! Also, why would you want to track your users' fingerprints with pixels?

    I'm all in for this project and helping people, but those things that I mentioned are very "nooby" and unacceptable for a 200m worth of crypto project. If a dev could comment on these and reassure us that would be great.



  • @bugger
    good points...

    Unofficial User / Tester / Analyst of Sia ( w/Renter and Host experience)

    0


  • @bugger Mention one piece of Internet software that works without IP's please :)



  • @DcyMatrix To be honest, a lot of things works without displaying ip:s publicly to others when you talk about to computers communicating with each other. You use some sort of layer in between (like a server I guess?) to make sure that it is hard to single out a computer that hosts and DDOS it.

    I have nothing bad to say about the devs at this point, since I just recently started following SIA. I'm sure the're doing the very best they can and intend to make this as secure as possible and take things in the order that looks best to them.

    Is it true that they're only 3 people working on this project at the moment? If so it's incredible how far they've taken it and I sure hope they get more resources to speed up everything.



  • @bugger Sia can provided 3x redundancy encryption across a decentralized network- but cant mask an IP address of a host? hmmm

    Unofficial User / Tester / Analyst of Sia ( w/Renter and Host experience)

    1


  • @DcyMatrix I think that @flibben has covered you. In the case of SIA theres no central server so the IPs should be encrypted with an algorithm that only the program knows of.

    @flibben I don't bash the devs either, I'm sure they have poured their sweat and time into this project to make it what it is today. That being said, feedback is a must and current issues especially critical issues like these should be given attention and should be resolved as soon as possible.

    @moorsc0de no **** :D exactly. I think that privacy means a lot for SIA and generally cryptocurrencies so an IP is like your real life home address. With a 100$ server and dns server scripts 1 person can attack the whole array of SIA's hosts' homes and render them uninhabitable/useless. That is even easier than a double spend 51% attack and more effective. It's only natural that privacy should be taken care of within SIA.



  • @bugger
    I'm curious how effectively and for how long a $100 server could DoS-attack the current network of 600+ nodes...
    And, believe me, if someone will want to attack the network, that someone will find out the list of nodes and corresponding IPs. If necessary, by modifying the source code, as it is opensource. An attacker with intentions does prepare the attack before carrying it out.
    So, why unnecessary complicate things now?
    Just remember, Sia is in early stage yet.
    There will be much more hosts if/when the "product" matures and hosting turns somewhat profitable.



  • @reinisp With encrypted IPs an attacker would have to actually form contracts and buy storage to find the IP of the specific host he is using. This is incredibly time consuming, requires a lot of money and you don't know which host you'll end up using since you can't select. It may not even possible to find 50% of IPs this way.

    As for the server, a 100$/month server can DDoS hundreds of GB per second with the right scripts. With vulnerable dns servers the server can amplify its power many many many times. Take a look here: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification . Example: My server sends 1 GB worth of packets per second to thousands of different dns servers -> each dns server is requested to request information sending x200 times more the bandwidth sent to them -> 200 GB worth of packets requesting info from SIA hosts -> SIA hosts are overwhelmed and are unable to send the information requested by the dns servers on time while all their resources are trying their best to talk back to dns servers -> the more time passes the more responses SIA hosts have to give back to dns servers rendering their internet useless. Basically the server sends packets to vulnerable dns servers all over the world manipulating them to send even bigger packets to the targets so even with a 10$ server it is possible to put SIA off business forever. That's how bad the situation is.

    Edit; Not to mention that a potential DDoS will generate hate for SIA since victims' internet will be unresponsive completely and they'll have to change their IPs if they have static.



  • With encrypted IPs an attacker would have to actually form contracts

    How could the attacker form a contract if the hosts IP address is not known? Every renter needs the list of available hosts.
    If the IPs are stored somewhere and handed out in encrypted form to "legitimate renters" only, it would be easier to attack the Host list serving server.

    And I doubt you can get a server for 100$ with available bandwith to "send 1 GB worth of packets per second to thousands of different dns servers". Anyway, that type of attack is effective against a limited count of servers, but ineffective against a globally distributed network with thousands of hosts.



  • @reinisp said in Existing problems and the future of SIA:

    With encrypted IPs an attacker would have to actually form contracts

    How could the attacker form a contract if the hosts IP address is not known? Every renter needs the list of available hosts.
    If the IPs are stored somewhere and handed out in encrypted form to "legitimate renters" only, it would be easier to attack the Host list serving server.

    And I doubt you can get a server for 100$ with available bandwith to "send 1 GB worth of packets per second to thousands of different dns servers". Anyway, that type of attack is effective against a limited count of servers, but ineffective against a globally distributed network with thousands of hosts.

    It's not that the IPs are not known, they are but only by the software. Encrypted IPs are used in torrents for example so an outsider can never know your IP. Now when someone uploads files to a host he can easily track the IP he is interacting with. Now I think that I missed is that if you upload a few files they are going to go to 30 hosts. So that's 30 IPs per contract.

    I'm not involved in DDoSing years now so go to hackforums and play the 'buyer'. Ask someone to display a test DDoS to you and give us a screenshot with the bolume of attack in GB/s. You need like 100-200$ one time for scripts and servers if you cant find them yourself and a server with 1 GB / 1000 mbps internet. It doesn't cost much neither it requires time. You can even have someone from hf to set you up a server with everything you need to DDoS. You don't even need to know coding or anything.

    Finally, you said that it can't work vs a global distributed network. At some point in the past Microsoft, Facebook, Google, Youtube, Amazon and every major company you can imagine has been successfully DDoSed and we are talking about the biggest clouds ever. Even half of the internet was disrupted during a DDoS attack.You think that SIA home user hosts with 100 mbp/s will survive? Inform yourself and Do the math.



  • For your concern of the software continually writing to disc, is this happening while running as a host or while just running the software & uploading?

    This would somewhat concern me as well given I'm running on solid state all over & this would also worry me to some degree



  • @intheclouds someone here: https://dm.reddit.com/r/siacoin/comments/6mcatn/existing_problems_and_the_future_of_sia/

    said

    The more contracts are concluded by host ==> the more data that is written: Each second few files (related to the concluded contracts) are rewritten, and their their sizes are proportional to number of already signed contracts and amount of reversed space on disk.

    So for a good active node with bunch of contracts it can be not just 10Gb/day buy hundreds gigabytes per day of useless/redundant data writing

    so as a host

    and another

    Yes, other programs write to disk. None of mine write more than a GB per day, so they're negligible for this discussion.

    At a link above, someone measured about 10GB a day with active contracts. Do you have a source or a measurement suggesting that it's 10x that?

    At 100GB a day, my SSD life is limited to around 7 years. Again, that's over what I consider to be the useful life of a drive, so it doesn't bother me.

    Absolutely this is a big bug that must be fixed -- I'm not arguing that it's inconsequential! But it's not killing my drive to the point that I feel I should shut it down until they roll out a fix whenever they get around to this particular issue in their endlessly expanding to do list.

    They are aware of the bug and will fix it. We have no ETA at this point.



  • This post is deleted!


  • @flibben It's a false sense of security in my opinion, if I have a renter with some secret algo that encrypts the ips it contacts, it still need to make the actual connection. Where to upload the data? You can just observe the outgoing traffic and see the ip's connected too. If you go through a gateway of any kind, that becomes a point of failure as well. But instead of having DDOS'ed 1 server, you take down the gateway, it might be 100's of servers impacted instead of just one. Keeping it as decentralized as possible is the best way to keep the data and the network up. Creating single points of targets for DDOS is sure to bring it all to a halt.
    There is also no one that says you're not allowed to setup a VPN or reverse proxy as a hoster to hide your true IP.
    It is very early days of Sia, so maybe a solution will be found, I could think of IPv6 might hold the answer.



  • @DcyMatrix Why did you delete your first post? As for the encrypted IPs the only thing that changes is the format of the IP. Instead of 123.456.789 (IPv4) or :7a07:1234:556c:777:f363:8899:tre7:9q21 (IPv6) you'll see something like ABC123deF456gHIk789LmN. That's all. No gateway or any centralized middle-man server. That doesn't mean that your IP wont be able to make connections with hosts' IPs. The software is able to convert the encrypted IP back to normal with its algorithm.

    Now, when you upload files, your files are spread across 30 hosts. So if you scan the connections you'll get 30 IPs.



  • @bugger Deleted my first post because I wanted to reply to flibben not you, so my post appeared to reply to you, but only flibben was the one I mentioned in the post itself :P

    But I still stand by my remark I think it's a false sense of security. I don't see anything stopping anyone from simply scanning all the Ipv4 space for Sia hosts. So again, you think your 'hidden' when you're really not hidden at all. Hence the false sense of security.



  • @bugger @reinisp With encrypted IPs an attacker would have to actually form contracts and buy storage to find the IP of the specific host he is using. This is incredibly time consuming, requires a lot of money and you don't know which host you'll end up using since you can't select. It may not even possible to find 50% of IPs this way.

    --- This is actually something I could see implemented via the blockchain, if a renter announce on the blockchain it wants to form contracts, then the Sia hosters reading the chain all the time, will be able to 'bid on the contract' and then even encrypt the answer to the renter only. Sounds like a great idea :-) But still would make your hosts vulnerable to a ipv4 scan of the internet for Sia hosts. Unless the hosts reply to the renter would include a 'port knock' to signal the host it's a real renter contacting you :D



  • @DcyMatrix
    I still can't imagine how (without centralization) could a node with the intention to rent some storage get the IP needed for contacting host regarding the offered contract details. Even if it is encoded into the blockchain itself, the blockchain is publicly available and every node is able to decrypt the contents. The attacker just needs to run the node and let it sync the blockchain...

    if a renter announce on the blockchain it wants to form contracts, then the Sia hosters reading the chain all the time, will be able to 'bid on the contract'

    That would turn the renter into the target for DDoSing...



  • @DcyMatrix @reinisp anything is better than this: https://siahub.info/ really. The current situation is like "I let my house door open, because even if I lock it, it is still possible to bypass it. Oh and by the way, here's where I live: https://siahub.info/. "


Log in to reply