Where is Bitcoin and Lightning's Red Team? \ stacker news ~bitcoin

Where is Bitcoin and Lightning's Red Team?en.wikipedia.org/wiki/Red_team

3967 sats \ 21 comments \ @k00b 2 May bitcoin

I was sharing my thoughts on the best possible scenario for bitcoin succeeding in the next ten years

I think the best possible scenario for bitcoin is it's severely and progressively attacked and we anticipate and adapt to survive it. The worst possible scenario is bitcoin isn't attacked, becomes ubiquitous, and is only then attacked and more people suffer a loss from it.

in conversation at a btc++ after event last night. My conversation partner was surprised by how few projects in bitcoin had bug bounties or processes for responsible disclosure (and named names that I will not name). Has was also surprised by how we didn't have a red team sponsored for the lightning network and that there aren't more projects like lnsploit being sponsored.

The concept of a red team was new to me but the utility seems high. I haven't heard this discussed much outside of "there's a 1 trillion dollar bug bounty on bitcoin" which implies bitcoin doesn't need something like a red team because real attackers are already incentivized. To me, naive as a freshly born babe on such matters, that doesn't seem like the best approach to hardening these things. It's sounds a lot like saying the best preparation for a war is being attacked by your enemy and we should just wait for that to happen.

We want well financed good guys attacking bitcoin, right? Is that a bad idea for some reason, or is it just not necessary?

view all related items

247 sats \ 1 reply \ @kepford 2 May

there's a 1 trillion dollar bug bounty on bitcoin

Another way to think about this is that the 1 trillion dollar bug bounty will likely be a bad actor, not a good actor. An actual bug bounty would set some expectations for compensation and not just be game theory based theft from the network. Or why not have both. Bitcoiners have skin in the game. Our money is on the line literally. Seems only logical that all of us that use lightning should seek out incentives to harden the network.

155 sats \ 0 replies \ @ek 2 May

Another way to think about this is that the 1 trillion dollar bug bounty will likely be a bad actor, not a good actor

This.

Also, if we solely rely on such bad actors, we will be blind to any kind of vulnerability until it was already exploited and thus too late. Security usually works in layers so relying on "we haven't seen anyone stealing bitcoin via a protocol vulnerability yet" sounds like waiting until all layers are breached before we fix something. It's usually a lot of small details that combined lead to catastrophic failure.¹

We should already be alerted when some assumptions can be broken even if that doesn't immediately results in a severe vulnerability. But we won't notice if bad actors find vulns with low CVSS.

But it's true, everyone in bitcoin should be incentivized to put our due diligence in keeping bitcoin secure but I am not sure if that's as effective as it sounds.

https://en.wikipedia.org/wiki/Swiss_cheese_model ↩

116 sats \ 0 replies \ @nerd2ninja 2 May

I have a thought in the back of my mind, that it would be neat if there were a software program that gets all of the software you use on your system and gets the payment addresses for each maintainer of that software along with some analysis of what needs more money and what's already funded.

Its around the same thought I had about making a miner fee support program that donates part of your miner fee for your tx (so you're intentionally paying more in miner fees) to a program that detects if a block contains miner fee paying txs and if none, subsidize the block with the emergency donation pool. (by the way, CTV kinda does that https://utxos.org/uses/scaling/ using congestion controlled transactions. Just have a bunch of minimum feerate txs ready to go and it doesn't have to detect anything just a miner will pick it up if they need it.)

Both would be opt-in obviously

101 sats \ 0 replies \ @halalmoney 2 May

Maybe the market has priced in the apparent lack of Bitcoin’s readiness to a systematic attack and has concluded: it’s worth a trilly.

Also: may be the market is rather impressed that this new protocol has matched about 7% of gold’s value and has concluded: it’s worth a trilly.

Conclusion: we are still in price discovery.

101 sats \ 0 replies \ @justin_shocknet 2 May

bug bounties or processes

I think this is more cultural than needing to be specifically outlined in OSS. The majority of eyes on decentralized/oss are the users of it.

Is this person equally concerned with the supply chain as well? libs, operating sytems, and so on?

a red team sponsored for the lightning network

Based on all the Lightning FUD that comes from grantees, competing initiatives to Lightning are that by default.

There's disincentives at work in a sponsored red team model... at least a bounty or successful attack is based on results

Implementations are also not the network, who's to say whom Lightning Labs or Blockstream hire for review in private?

more projects like lnsploit being sponsored

Maybe because no one uses this one in the first place?

concept of a red team was new to me

Probably because it's antiquated, was more of a closed-source commercial thing. Who needs it more? Microsoft or Debian?

real attackers are already incentivized

That and not just from he honeypot aspect, FUD as mentioned above is incentivized by competition... and its already a david .v goliath battle.

best preparation for a war is being attacked by your enemy

The only alternative is fighting the last war

We want well financed good guys attacking bitcoin, right? Is that a bad idea for some reason, or is it just not necessary?

Seems like the wrong question unless we assume resources are infinite? Assuming not, should it be a higher priority? Empirically there seems to be little to no justification for it.

100 sats \ 2 replies \ @0xbitcoiner 2 May

There are already a lot of eyes on the Bitcoin code. There are many interests to defend and there are certainly many people paying attention to this issue. I don't think it's a bad idea to have a red team, but now I ask, who would fund this red team?

64 sats \ 1 reply \ @k00b OP 2 May

There are a lot of eyes on it, but not all eyes are equal.

who would fund this red team?

People that have a large financial interest in bitcoin's success?

100 sats \ 0 replies \ @0xbitcoiner 2 May

that's an option, I suspect these individuals already have someone overseeing. It's definitely not the same as a red team approach. Perhaps donations could be a viable solution. Another question that just came to mind: who would choose the red team members? It's a complex issue, I must admit. Maybe bug bounties would be the best approach after all.

10 sats \ 0 replies \ @om 2 May

We kinda have a testnet red team: #523971 And most people aren't happy

10 sats \ 0 replies \ @saunter 2 May

Taproot Wizards

0 sats \ 0 replies \ @Zenul_Abidin 3 May

The reason is because specifically in the case of crypto, people think that red teams that break into systems are supposed to be getting a financial reward in the form of some funded private key they find.

So, it makes it very hard to organize a bug bounty when people (or nation states) will just try to to hack and steal it without sharing their method of how it was done.

0 sats \ 0 replies \ @tolee 3 May

Seems fundamentally like a free rider problem. Here are some solutions. My money's on the second (software dev has great ROI) and last (Bitcoin operates on social contract) options working for Bitcoin. One is also interesting; imagine El Salvador funding devs as part of treasury operations.

1. Government Provision

As we mentioned earlier, the government can provide public goods that are susceptible to free riding instead of private firms.

2. Non-Profit and Charitable Provision

Non-profits and other charitable organizations can also provide public goods, so long as there are enough funds to make the good or service available.

3. Changes to the Good or Service Being Sold

Companies can find ways to mitigate the free rider problem by making changes to their product. For example, a subway turnstile discourages most people from sneaking on to the subway and riding for free. If Wikipedia wished to do so, they could add a paywall to make their service excludable or they could seek revenues elsewhere by placing paid advertisements on their site.

4. Market Interventions

Certain market interventions might also help to discourage free riding. For example, consumers of a non-excludable good or service could be required to sign a contract enforceable by law that obligates them to pay for what they consume. The government could also tax or subsidize goods or services in a way that ensures that sellers have an incentive to continue their products or in a way that ensures that consumers pay for what they consume.

Sometimes altruism, social norms, and social pressures are the best remedy for the free rider problem. If people are altruistic, they look beyond their immediate self-interest and derive pleasure from doing things for others. Social norms and social pressures work similarly. You would be less likely to free ride in a team project if your team members were your close friends or if you were afraid of being shunned or scorned by them as a result of your actions.

Public campaigns, such as campaigns to get out the vote and to keep neighborhoods clean, can often discourage free riding because they give people a sense of pride or social responsibility beyond what is in their limited self-interest. If social preferences and obligations motivate individuals beyond their narrow self-interest, they will often resist free riding even when there is an opportunity to do so.

Source: https://articles.outlier.org/free-rider-problem#section-5-free-rider-problem-solutions

0 sats \ 0 replies \ @Satosora 2 May

Isnt it always good to be prepared? All it takes is a creative mind, and things can start to unravel.

0 sats \ 7 replies \ @Coinsreporter 2 May

Can we also have a green team?

Can we play a match?

Sorry but I just want to say Bitcoin isn't a game.

We don't require these fuckin' pretenders, what we need are pure Bitcoiners.

11 sats \ 6 replies \ @k00b OP 2 May

The other side is called "blue team" ... The blue team already exists.

I didn't say bitcoin is a game.

0 sats \ 0 replies \ @Coinsreporter 3 May

I don't like pretenders. We already shield Bitcoin with the energy we apply while mining.

0 sats \ 4 replies \ @Coinsreporter 2 May

Sir, you're right. I know we have a blue team. That's why I aspired a green one.

I only wanted to say that why to make it more pretending when we can have some real ones. Also, Bitcoin is so true, that it needs no shield.

A truth doesn't need a shield.

0 sats \ 3 replies \ @om 2 May

Also, Bitcoin is so true, that it needs no shield. A truth doesn't need a shield.

The purpose of all the energy burned for mining is to create a shield, in Saylor's terms, a wall of energy.

0 sats \ 2 replies \ @Coinsreporter 3 May

Yes, and that's the shield we already have, why do we require another one? That too of pretenders?

100 sats \ 1 reply \ @om 3 May

To protect us from attacks coming at a different angle, of course. No amount of energy burned would save us from vulnerabilities in the code. Your room likely has 4 walls instead of 1 for similar reasons.

That too of pretenders?

You can call security research with a bad word but that doesn't change our need for security.

0 sats \ 0 replies \ @Coinsreporter 3 May

I agree we need security but not with the 'Red team'. We must avoid the pretenders.

Footnotes

1. Government Provision

2. Non-Profit and Charitable Provision

3. Changes to the Good or Service Being Sold

4. Market Interventions

5. Altruistic Preferences, Social Norms & Social Pressures

A truth doesn't need a shield.